Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
tA6etkt3gb.exe

Overview

General Information

Sample name:tA6etkt3gb.exe
renamed because original name is a hash value
Original sample name:a599e020f718cf8c8f2c4cbc4dd53a20.exe
Analysis ID:1428423
MD5:a599e020f718cf8c8f2c4cbc4dd53a20
SHA1:204471dfbe8595643042f780f6a41e11af6933d6
SHA256:624f4d882c679941ae0fbedd47554d2dd8419c3d5e6492d020b004719c164974
Tags:32Amadeyexetrojan
Infos:

Detection

Amadey, PureLog Stealer, RedLine, RisePro Stealer, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
System process connects to network (likely due to code injection or exploit)
Yara detected Amadeys Clipper DLL
Yara detected Amadeys stealer DLL
Yara detected PureLog Stealer
Yara detected RedLine Stealer
Yara detected RisePro Stealer
Yara detected zgRAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs new ROOT certificates
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains an invalid checksum
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
Sigma detected: Suspicious Add Scheduled Task Parent
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • tA6etkt3gb.exe (PID: 5204 cmdline: "C:\Users\user\Desktop\tA6etkt3gb.exe" MD5: A599E020F718CF8C8F2C4CBC4DD53A20)
    • explorha.exe (PID: 6196 cmdline: "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" MD5: A599E020F718CF8C8F2C4CBC4DD53A20)
      • rundll32.exe (PID: 6816 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main MD5: 889B99C52A60DD49227C5E485A016679)
        • rundll32.exe (PID: 5608 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main MD5: EF3179D498793BF4234F708D3BE28633)
          • netsh.exe (PID: 6452 cmdline: netsh wlan show profiles MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
            • conhost.exe (PID: 1828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • powershell.exe (PID: 7264 cmdline: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal MD5: 04029E121A0CFA5991749937DD22A1D9)
            • conhost.exe (PID: 7276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • rundll32.exe (PID: 7216 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main MD5: 889B99C52A60DD49227C5E485A016679)
      • amert.exe (PID: 7312 cmdline: "C:\Users\user\AppData\Local\Temp\1000054001\amert.exe" MD5: 47786A32E7A47031EE41BD1C2EE24B39)
      • fb1076712b.exe (PID: 7640 cmdline: "C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe" MD5: 34491075D86DBE293DDD347B8F89F590)
        • chrome.exe (PID: 7688 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
          • chrome.exe (PID: 7924 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
          • chrome.exe (PID: 8552 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5268 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
          • chrome.exe (PID: 8560 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
          • chrome.exe (PID: 6416 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3592 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
          • chrome.exe (PID: 8900 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1612 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • a14d081f84.exe (PID: 1456 cmdline: "C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe" MD5: FDA558788F4A8C86423D97EE694671FC)
        • schtasks.exe (PID: 8764 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 8784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 8820 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
          • conhost.exe (PID: 8852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • WerFault.exe (PID: 6756 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 2108 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • explorha.exe (PID: 8720 cmdline: "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" MD5: A599E020F718CF8C8F2C4CBC4DD53A20)
  • svchost.exe (PID: 7824 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • chrosha.exe (PID: 8276 cmdline: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe MD5: 47786A32E7A47031EE41BD1C2EE24B39)
  • fb1076712b.exe (PID: 9104 cmdline: "C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe" MD5: 34491075D86DBE293DDD347B8F89F590)
    • chrome.exe (PID: 4820 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 8644 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=2008,i,7358717374769390442,8105426175949255574,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
  • MPGPH131.exe (PID: 8912 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: FDA558788F4A8C86423D97EE694671FC)
    • WerFault.exe (PID: 8780 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8912 -s 2112 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 8740 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: FDA558788F4A8C86423D97EE694671FC)
    • WerFault.exe (PID: 6952 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8740 -s 2060 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • a14d081f84.exe (PID: 7468 cmdline: "C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe" MD5: FDA558788F4A8C86423D97EE694671FC)
  • svchost.exe (PID: 8696 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 5960 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1456 -ip 1456 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 4788 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 8912 -ip 8912 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 2728 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 8740 -ip 8740 MD5: C31336C1EFC2CCB44B4326EA793040F2)
    • WerFault.exe (PID: 8632 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7480 -ip 7480 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 8680 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: FDA558788F4A8C86423D97EE694671FC)
  • explorha.exe (PID: 9160 cmdline: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe MD5: A599E020F718CF8C8F2C4CBC4DD53A20)
  • chrosha.exe (PID: 7284 cmdline: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe MD5: 47786A32E7A47031EE41BD1C2EE24B39)
    • swiiiii.exe (PID: 7480 cmdline: "C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe" MD5: 1C7D0F34BB1D85B5D2C01367CC8F62EF)
      • conhost.exe (PID: 7516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RegAsm.exe (PID: 5588 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • rundll32.exe (PID: 8628 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7472 cmdline: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main MD5: EF3179D498793BF4234F708D3BE28633)
  • fb1076712b.exe (PID: 7424 cmdline: "C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe" MD5: 34491075D86DBE293DDD347B8F89F590)
    • chrome.exe (PID: 4020 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
      • chrome.exe (PID: 9136 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=2004,i,17688205100475661311,15377141121242979989,262144 /prefetch:8 MD5: 5BBFA6CBDF4C254EB368D534F9E23C92)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AmadeyAmadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
NameDescriptionAttributionBlogpost URLsLink
zgRATzgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Amadey

{"C2 url": ["193.233.132.56/Pneh2sXQk0/index.php"]}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\ai7r4g0iAr_FU6jbGEv2feP.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
      C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dllJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
        C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dllJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
          C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dllJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
            Click to see the 20 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000012.00000003.2481957933.0000000004A60000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
              0000001E.00000002.2745944296.00000000012E6000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0000002A.00000003.2763648199.0000000004A40000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                  0000001E.00000003.2651044580.0000000007B09000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                    00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmpJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                      Click to see the 40 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      8.2.rundll32.exe.6c880000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                        8.2.rundll32.exe.6c880000.0.unpackJoeSecurity_Amadey_3Yara detected Amadey\'s Clipper DLLJoe Security
                          43.2.chrosha.exe.ce0000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                            18.2.chrosha.exe.ce0000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                              11.2.amert.exe.6a0000.0.unpackJoeSecurity_Amadey_2Yara detected Amadey\'s stealer DLLJoe Security
                                Click to see the 3 entries

                                Sigma Signatures

                                System Summary

                                barindex
                                Sigma detected: New RUN Key Pointing to Suspicious Folder
                                Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe, ProcessId: 6196, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fb1076712b.exe
                                Sigma detected: Suspicious Script Execution From Temp Folder
                                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 5608, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 7264, ProcessName: powershell.exe
                                Sigma detected: CurrentVersion Autorun Keys Modification
                                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe, ProcessId: 6196, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fb1076712b.exe
                                Sigma detected: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
                                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems), frack113: Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 5608, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 7264, ProcessName: powershell.exe
                                Sigma detected: Suspicious Add Scheduled Task Parent
                                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST, CommandLine: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe, ParentProcessId: 1456, ParentProcessName: a14d081f84.exe, ProcessCommandLine: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST, ProcessId: 8764, ProcessName: schtasks.exe
                                Sigma detected: Non Interactive PowerShell Process Spawned
                                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 5608, ParentProcessName: rundll32.exe, ProcessCommandLine: powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal, ProcessId: 7264, ProcessName: powershell.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 7824, ProcessName: svchost.exe

                                Stealing of Sensitive Information

                                barindex
                                Sigma detected: Capture Wi-Fi password
                                Source: Process startedAuthor: Joe Security: Data: Command: netsh wlan show profiles, CommandLine: netsh wlan show profiles, CommandLine|base64offset|contains: l, Image: C:\Windows\System32\netsh.exe, NewProcessName: C:\Windows\System32\netsh.exe, OriginalFileName: C:\Windows\System32\netsh.exe, ParentCommandLine: "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main, ParentImage: C:\Windows\System32\rundll32.exe, ParentProcessId: 5608, ParentProcessName: rundll32.exe, ProcessCommandLine: netsh wlan show profiles, ProcessId: 6452, ProcessName: netsh.exe

                                Snort Signatures

                                No Snort rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Antivirus / Scanner detection for submitted sample
                                Source: tA6etkt3gb.exeAvira: detected
                                Antivirus detection for URL or domain
                                Source: http://pesterbdd.com/images/Pester.pngURL Reputation: Label: malware
                                Source: http://193.233.132.167/cost/lenin.exeURL Reputation: Label: malware
                                Antivirus detection for dropped file
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewB[1].exeAvira: detection malicious, Label: TR/Redcap.pernp
                                Found malware configuration
                                Source: 8.2.rundll32.exe.6c880000.0.unpackMalware Configuration Extractor: Amadey {"C2 url": ["193.233.132.56/Pneh2sXQk0/index.php"]}
                                Multi AV Scanner detection for dropped file
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewB[1].exeReversingLabs: Detection: 76%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\cred64[1].dllReversingLabs: Detection: 71%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\swiiii[1].exeReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Startup[1].exeReversingLabs: Detection: 62%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exeReversingLabs: Detection: 95%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dllReversingLabs: Detection: 95%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\file300un[1].exeReversingLabs: Detection: 45%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\gold[1].exeReversingLabs: Detection: 34%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\jok[1].exeReversingLabs: Detection: 73%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\amadka[1].exeReversingLabs: Detection: 39%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\build_1GyXIDXRUC[1].exeReversingLabs: Detection: 65%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\clip64[1].dllReversingLabs: Detection: 81%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dllReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\swiiiii[1].exeReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeReversingLabs: Detection: 39%
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exeReversingLabs: Detection: 95%
                                Source: C:\Users\user\AppData\Local\Temp\1000149001\gold.exeReversingLabs: Detection: 34%
                                Source: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exeReversingLabs: Detection: 76%
                                Source: C:\Users\user\AppData\Local\Temp\1000152001\jok.exeReversingLabs: Detection: 73%
                                Source: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exeReversingLabs: Detection: 91%
                                Source: C:\Users\user\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exeReversingLabs: Detection: 65%
                                Source: C:\Users\user\AppData\Local\Temp\1000173001\Startup.exeReversingLabs: Detection: 62%
                                Source: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exeReversingLabs: Detection: 45%
                                Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dllReversingLabs: Detection: 81%
                                Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dllReversingLabs: Detection: 71%
                                Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dllReversingLabs: Detection: 95%
                                Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dllReversingLabs: Detection: 91%
                                Multi AV Scanner detection for submitted file
                                Source: tA6etkt3gb.exeReversingLabs: Detection: 39%
                                Machine Learning detection for dropped file
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewB[1].exeJoe Sandbox ML: detected
                                Machine Learning detection for sample
                                Source: tA6etkt3gb.exeJoe Sandbox ML: detected
                                Sample uses string decryption to hide its real strings
                                Source: 8.2.rundll32.exe.6c880000.0.unpackString decryptor: 193.233.132.56
                                Source: 8.2.rundll32.exe.6c880000.0.unpackString decryptor: /Pneh2sXQk0/index.php
                                Source: tA6etkt3gb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C88BA1E FindFirstFileExW,8_2_6C88BA1E
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0090C2A2 FindFirstFileExW,13_2_0090C2A2
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_009468EE FindFirstFileW,FindClose,13_2_009468EE
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0094698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,13_2_0094698F
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0093D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,13_2_0093D076
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0093D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,13_2_0093D3A9
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00949642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,13_2_00949642
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0094979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,13_2_0094979D
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0093DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,13_2_0093DBBE
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00949B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,13_2_00949B2B
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00945C97 FindFirstFileW,FindNextFileW,FindClose,13_2_00945C97
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppDataJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\Videos\desktop.iniJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\userJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\Music\desktop.iniJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\OneDrive\desktop.iniJump to behavior

                                Networking

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 193.233.132.56 80Jump to behavior
                                Source: C:\Windows\System32\rundll32.exeNetwork Connect: 193.233.132.167 80
                                C2 URLs / IPs found in malware configuration
                                Source: Malware configuration extractorIPs: 193.233.132.56
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmp, type: DROPPED
                                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                                Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                                Source: Joe Sandbox ViewIP Address: 193.233.132.56 193.233.132.56
                                Source: Joe Sandbox ViewIP Address: 193.233.132.56 193.233.132.56
                                Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeCode function: 1_2_001CD8D0 recv,recv,recv,recv,1_2_001CD8D0
                                Source: fb1076712b.exe, 0000001B.00000002.2819083114.000000000109C000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2812698863.000000000109B000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2787438184.000000000105C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/accountf equals www.youtube.com (Youtube)
                                Source: fb1076712b.exe, 0000000D.00000002.2668846034.0000000003CCB000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2661241476.0000000003CBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/accountn equals www.youtube.com (Youtube)
                                Source: a14d081f84.exe, 00000011.00000003.2545113322.00000000079E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26 equals www.youtube.com (Youtube)
                                Source: a14d081f84.exe, 00000011.00000003.2545113322.00000000079E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_lo`c equals www.youtube.com (Youtube)
                                Source: a14d081f84.exe, 00000011.00000003.2554280863.00000000079E6000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2545113322.00000000079E0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2628017103.0000000007B48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Khttps://www.youtube.com/account equals www.youtube.com (Youtube)
                                Source: a14d081f84.exe, 00000011.00000003.2545113322.00000000079E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/s equals www.youtube.com (Youtube)
                                Source: MPGPH131.exe, 0000001E.00000003.2628017103.0000000007B48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&passive=true&service=youtube&uilel=3&ifkv=ARZ0qKL6c8goKeviJGNxHxUxCe8K7xWseNVnmquqguno1P8sSi3HvmldXhCMIINJbM5zB7Dor3HKSA equals www.youtube.com (Youtube)
                                Source: MPGPH131.exe, 0000001E.00000003.2628017103.0000000007B48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en equals www.youtube.com (Youtube)
                                Source: MPGPH131.exe, 0000001E.00000003.2628017103.0000000007B48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26feature%3Dredirect_login&hl=en&ifkv=ARZ0qKLiwO4uQPWv4GRzcP3BE6GlAuxQajxEqSe0rgAN8p6GcEZihlBPGM6x8cS8d9VxCvkFDavU5w&passive=true&service=youtube&uilel=3&flowName=GlifWebSignIn&flowEntry=ServiceLogin&dsh=S-418467268%3A1713473613349329&theme=mn&ddm=0 equals www.youtube.com (Youtube)
                                Source: fb1076712b.exe, 0000000D.00000003.2662711419.0000000003CE1000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2661944984.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000002.2668946102.0000000003CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/account equals www.youtube.com (Youtube)
                                Source: fb1076712b.exe, 0000000D.00000003.2662711419.0000000003CE1000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2661944984.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000002.2668946102.0000000003CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/account$ equals www.youtube.com (Youtube)
                                Source: fb1076712b.exe, 0000000D.00000003.2663803199.0000000003C90000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2654819557.0000000003C89000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2654723196.0000000003C80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/account)S equals www.youtube.com (Youtube)
                                Source: fb1076712b.exe, 0000000D.00000003.2662711419.0000000003CE1000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2661944984.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000002.2668946102.0000000003CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/account< equals www.youtube.com (Youtube)
                                Source: fb1076712b.exe, 0000000D.00000003.2662711419.0000000003CE1000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2661944984.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000002.2668946102.0000000003CE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/accounte equals www.youtube.com (Youtube)
                                Source: a14d081f84.exe, 00000011.00000003.2545113322.00000000079E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ignin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com%252Faccount%26fe equals www.youtube.com (Youtube)
                                Source: a14d081f84.exe, 00000011.00000003.2545113322.00000000079E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: n?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.com equals www.youtube.com (Youtube)
                                Source: a14d081f84.exe, 00000011.00000003.2545113322.00000000079E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: n?action_handle_signin%3Dtrue%26app%3Ddesktop%26hl%3Den%26next%3Dhttps%253A%252F%252Fwww.youtube.come equals www.youtube.com (Youtube)
                                Source: a14d081f84.exe, 00000011.00000003.2545113322.00000000079E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: n?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Faction_hand8f equals www.youtube.com (Youtube)
                                Source: a14d081f84.exe, 00000011.00000003.2567470596.000000000143A000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2672552114.000000000143D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000002.2745944296.00000000012E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
                                Source: a14d081f84.exe, 00000011.00000003.2567470596.000000000143A000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2672552114.000000000143D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeata?0S
                                Source: a14d081f84.exe, 00000011.00000002.2672552114.000000000143D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000002.2745944296.00000000012E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/go.exe
                                Source: a14d081f84.exe, 00000011.00000003.2567470596.000000000143A000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2672552114.000000000143D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000002.2745944296.00000000012E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exe.exe68.0
                                Source: a14d081f84.exe, 00000011.00000003.2567470596.000000000143A000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2672552114.000000000143D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exea.ac
                                Source: a14d081f84.exe, 00000011.00000003.2567470596.000000000143A000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2672552114.000000000143D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/lenin.exeser
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/random.exe
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/random.exeyI)
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/sarra.exe
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/sarra.exe-Iu
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/sarra.exe.168.2.6
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/sarra.exe4Hn
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/sarra.exe6a&I
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/cost/sarra.exe86
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/mine/amert.exe
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/mine/amert.exe1
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/mine/amert.exeV
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/mine/amert.exehp
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.167/mine/random.exe
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2505986332.000002B04F5B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/015f815db2cd0aea5fb37b3eefba1586aa0e
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/015f815db2cd0aea5fb37b3eefba1586aa0e156001
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/015f815db2cd0aea5fb37b3eefba1586aa0e17e76#da#
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/015f815db2cd0aea5fb37b3eefba1586aa0e17e76adaaT
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/015f815db2cd0aea5fb37b3eefba1586aa0e17eun1
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/33.132.56/214e40adc2dc8e2a9e730e8b2e8b2446fe1e928766ada#
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/33.132.56/;S
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/33.132.56/Data
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/33.132.56/Pictures
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/33.132.56/a
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dll
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dllA8
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dll
                                Source: rundll32.exe, 00000008.00000002.3588493265.00000000034F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php$
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php00054001
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php4
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php51a4f
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php8
                                Source: rundll32.exe, 00000005.00000002.2505986332.000002B04F58B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php9
                                Source: rundll32.exe, 00000005.00000002.2506410842.000002B051590000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2505986332.000002B04F5B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1
                                Source: rundll32.exe, 00000005.00000002.2505986332.000002B04F5B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1(
                                Source: rundll32.exe, 00000005.00000002.2506410842.000002B051590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1A
                                Source: rundll32.exe, 00000005.00000002.2506410842.000002B051590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.php?wal=1m
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpD
                                Source: rundll32.exe, 00000008.00000002.3588493265.00000000034F0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpT
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpX
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpded3
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpdedN
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpf182f2
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpi
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpl
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/Pneh2sXQk0/index.phpt
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/i2
                                Source: rundll32.exe, 00000005.00000002.2505986332.000002B04F5B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/pData
                                Source: rundll32.exe, 00000005.00000002.2506410842.000002B051590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/ry
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://193.233.132.56/ta
                                Source: svchost.exe, 0000000F.00000003.3346687948.00000264C0010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3356971183.00000264BFB2D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3346536322.00000264BAD1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: svchost.exe, 0000000F.00000003.3346687948.00000264C0010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3356971183.00000264BFB2D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3346536322.00000264BAD1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: svchost.exe, 0000000F.00000003.3346687948.00000264C0010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3356971183.00000264BFB2D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3346536322.00000264BAD1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: svchost.exe, 0000000F.00000003.3346687948.00000264C0010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3356971183.00000264BFB2D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3346536322.00000264BAD1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: svchost.exe, 0000000F.00000002.3791153756.00000264BFA00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
                                Source: svchost.exe, 0000000F.00000003.3346687948.00000264C0010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3356971183.00000264BFB2D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3346536322.00000264BAD1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: svchost.exe, 0000000F.00000003.3346687948.00000264C0010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3356971183.00000264BFB2D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3346536322.00000264BAD1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: svchost.exe, 0000000F.00000003.3346687948.00000264C0010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3356971183.00000264BFB2D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3346536322.00000264BAD1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: svchost.exe, 0000000F.00000003.3346536322.00000264BAD1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: svchost.exe, 0000000F.00000003.3346687948.00000264C0010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3356971183.00000264BFB2D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3346536322.00000264BAD1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
                                Source: svchost.exe, 0000000F.00000003.2405216432.00000264BF930000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
                                Source: powershell.exe, 00000009.00000002.2416896058.000001DC018D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2445357143.000001DC10075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                                Source: svchost.exe, 0000000F.00000003.3346687948.00000264C0010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3356971183.00000264BFB2D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3346536322.00000264BAD1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: svchost.exe, 0000000F.00000003.3346687948.00000264C0010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3356971183.00000264BFB2D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3346536322.00000264BAD1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: svchost.exe, 0000000F.00000003.3346687948.00000264C0010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3356971183.00000264BFB2D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3346536322.00000264BAD1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                                Source: svchost.exe, 0000000F.00000003.3346687948.00000264C0010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3356971183.00000264BFB2D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3346536322.00000264BAD1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: powershell.exe, 00000009.00000002.2416896058.000001DC00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                                Source: powershell.exe, 00000009.00000002.2416896058.000001DC00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                                Source: powershell.exe, 00000009.00000002.2416896058.000001DC00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: powershell.exe, 00000009.00000002.2416896058.000001DC00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
                                Source: powershell.exe, 00000009.00000002.2416896058.000001DC00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                                Source: svchost.exe, 0000000F.00000003.3346687948.00000264C0010000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3356971183.00000264BFB2D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3346536322.00000264BAD1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: a14d081f84.exe, 00000011.00000003.2443781465.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2670373091.0000000000C11000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001E.00000002.2743444356.0000000000411000.00000040.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                                Source: a14d081f84.exe, 00000011.00000002.2670373091.0000000000C11000.00000040.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.winimage.com/zLibDllDp
                                Source: a14d081f84.exe, 00000011.00000003.2443781465.0000000004E90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
                                Source: MPGPH131.exe, 0000001E.00000002.2743444356.0000000000411000.00000040.00000001.01000000.00000014.sdmpString found in binary or memory: http://www.winimage.com/zLibDllDpSTpS
                                Source: a14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                                Source: a14d081f84.exe, 00000011.00000003.2545113322.00000000079E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.c
                                Source: a14d081f84.exe, 00000011.00000003.2545113322.00000000079E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/s
                                Source: a14d081f84.exe, 00000011.00000003.2554280863.00000000079E6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2628017103.0000000007B48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/InteractiveLogin?continue=https://www.youtube.com/signin?action_handle_s
                                Source: a14d081f84.exe, 00000011.00000003.2545113322.00000000079E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/Service
                                Source: a14d081f84.exe, 00000011.00000003.2554280863.00000000079E6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2628017103.0000000007B48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?service=youtube&uilel=3&passive=true&continue=https%3A%2F%2
                                Source: a14d081f84.exe, 00000011.00000003.2554280863.00000000079E6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2628017103.0000000007B48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/v3/signin/identifier?continue=https%3A%2F%2Fwww.youtube.com%2Fsignin%3Fa
                                Source: powershell.exe, 00000009.00000002.2416896058.000001DC00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                                Source: powershell.exe, 00000009.00000002.2416896058.000001DC00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2416896058.000001DC014AE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelp
                                Source: powershell.exe, 00000009.00000002.2416896058.000001DC01626000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
                                Source: a14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                                Source: a14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                                Source: a14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                                Source: powershell.exe, 00000009.00000002.2445357143.000001DC10075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                                Source: powershell.exe, 00000009.00000002.2445357143.000001DC10075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                                Source: powershell.exe, 00000009.00000002.2445357143.000001DC10075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52T
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
                                Source: svchost.exe, 0000000F.00000002.3811894214.00000264BFA54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.3664641531.00000264BAD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.3791153756.00000264BFA1F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe
                                Source: svchost.exe, 0000000F.00000002.3595493275.0000009634EFB000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.3664641531.00000264BAD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3281658681.00000264BF932000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.3685155227.00000264BB240000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3366977063.00000264BF935000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe9C:
                                Source: svchost.exe, 0000000F.00000002.3636053512.00000264BA4A2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeeeC
                                Source: svchost.exe, 0000000F.00000002.3822509874.00000264BFA84000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.iolo.net:443/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.ex
                                Source: a14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                                Source: a14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                                Source: a14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                                Source: svchost.exe, 0000000F.00000003.2405216432.00000264BF98E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
                                Source: svchost.exe, 0000000F.00000003.2405216432.00000264BF930000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
                                Source: powershell.exe, 00000009.00000002.2416896058.000001DC00228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2671676369.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2671676369.000000000137E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/E
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                                Source: a14d081f84.exe, 00000011.00000003.2443781465.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2670373091.0000000000C11000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001E.00000002.2743444356.0000000000411000.00000040.00000001.01000000.00000014.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013DB000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2671676369.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000002.2745944296.000000000125B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
                                Source: MPGPH131.exe, 0000001E.00000002.2745944296.000000000125B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.522=
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013A7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.524
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.524
                                Source: powershell.exe, 00000009.00000002.2416896058.000001DC018D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2445357143.000001DC10075000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                                Source: MPGPH131.exe, 0000001E.00000002.2745944296.00000000012E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.96v
                                Source: a14d081f84.exe, 00000011.00000002.2676382409.00000000079B7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2567220564.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2651044580.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2651935051.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2651686568.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000002.2758476389.0000000007B23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT
                                Source: MPGPH131.exe, 0000001E.00000003.2651044580.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2651935051.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2651686568.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000002.2758476389.0000000007B23000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTRNAME=
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2566360446.0000000007A1D000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2567508830.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2676382409.00000000079B7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2566507110.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2651044580.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2651935051.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2651686568.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000002.2758209507.0000000007AFC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000002.2745944296.000000000125B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000002.2758476389.0000000007B23000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2650205605.0000000007B91000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot.52
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot_
                                Source: MPGPH131.exe, 0000001E.00000002.2745944296.000000000125B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bota=
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
                                Source: a14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                                Source: a14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                                Source: fb1076712b.exe, 0000000D.00000003.2660431825.0000000003CCE000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2554280863.00000000079E6000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2545113322.00000000079E0000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2815068147.00000000039F5000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2757492839.00000000039E7000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2813835658.0000000003A73000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2758477744.00000000039EE000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000002.2822140000.0000000003A73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2628017103.0000000007B48000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/account
                                Source: fb1076712b.exe, 0000000D.00000003.2662711419.0000000003CE1000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2661944984.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000002.2668946102.0000000003CE8000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2660431825.0000000003CCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/account$
                                Source: fb1076712b.exe, 0000000D.00000003.2663803199.0000000003C90000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2654819557.0000000003C89000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2654723196.0000000003C80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/account)S
                                Source: fb1076712b.exe, 0000000D.00000003.2662711419.0000000003CE1000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2661944984.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000002.2668946102.0000000003CE8000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2660431825.0000000003CCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/accounte
                                Source: fb1076712b.exe, 0000001B.00000002.2819083114.000000000109C000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2812698863.000000000109B000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2787438184.000000000105C000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2786559543.0000000001057000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/accountf
                                Source: fb1076712b.exe, 0000000D.00000002.2668846034.0000000003CCB000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2661241476.0000000003CBA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/accountn
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0094EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,13_2_0094EAFF
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0094ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,13_2_0094ED6A
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0094EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,13_2_0094EAFF
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0093AB9C GetKeyState,GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,13_2_0093AB9C
                                Source: fb1076712b.exe, 0000000D.00000003.2635677323.0000000003C3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _WINAPI_GETRAWINPUTDATAWmemstr_9d45e1d1-e
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00969576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,13_2_00969576

                                System Summary

                                barindex
                                Malicious sample detected (through community Yara rule)
                                Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmp, type: DROPPEDMatched rule: Detects zgRAT Author: ditekSHen
                                Binary is likely a compiled AutoIt script file
                                Source: fb1076712b.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                                Source: fb1076712b.exe, 0000000D.00000000.2381257663.0000000000992000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_1fbfb1c8-a
                                Source: fb1076712b.exe, 0000000D.00000000.2381257663.0000000000992000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_493c632a-8
                                Source: fb1076712b.exe, 0000001B.00000000.2486401927.0000000000992000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_66b0f568-a
                                Source: fb1076712b.exe, 0000001B.00000000.2486401927.0000000000992000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_6b00cec3-c
                                PE file contains section with special chars
                                Source: tA6etkt3gb.exeStatic PE information: section name:
                                Source: tA6etkt3gb.exeStatic PE information: section name: .idata
                                Source: explorha.exe.1.drStatic PE information: section name:
                                Source: explorha.exe.1.drStatic PE information: section name: .idata
                                Source: amert[1].exe.2.drStatic PE information: section name:
                                Source: amert[1].exe.2.drStatic PE information: section name: .idata
                                Source: amert[1].exe.2.drStatic PE information: section name:
                                Source: amert.exe.2.drStatic PE information: section name:
                                Source: amert.exe.2.drStatic PE information: section name: .idata
                                Source: amert.exe.2.drStatic PE information: section name:
                                Source: random[1].exe0.2.drStatic PE information: section name:
                                Source: random[1].exe0.2.drStatic PE information: section name: .idata
                                Source: random[1].exe0.2.drStatic PE information: section name:
                                Source: a14d081f84.exe.2.drStatic PE information: section name:
                                Source: a14d081f84.exe.2.drStatic PE information: section name: .idata
                                Source: a14d081f84.exe.2.drStatic PE information: section name:
                                Source: sarra[1].exe.2.drStatic PE information: section name:
                                Source: sarra[1].exe.2.drStatic PE information: section name: .idata
                                Source: sarra[1].exe.2.drStatic PE information: section name:
                                Source: chrosha.exe.11.drStatic PE information: section name:
                                Source: chrosha.exe.11.drStatic PE information: section name: .idata
                                Source: chrosha.exe.11.drStatic PE information: section name:
                                Source: RageMP131.exe.17.drStatic PE information: section name:
                                Source: RageMP131.exe.17.drStatic PE information: section name: .idata
                                Source: RageMP131.exe.17.drStatic PE information: section name:
                                Source: MPGPH131.exe.17.drStatic PE information: section name:
                                Source: MPGPH131.exe.17.drStatic PE information: section name: .idata
                                Source: MPGPH131.exe.17.drStatic PE information: section name:
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_0041E227 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers,2_2_0041E227
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0093D5EB: CreateFileW,DeviceIoControl,CloseHandle,13_2_0093D5EB
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00931201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,13_2_00931201
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0093E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,13_2_0093E8F6
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeFile created: C:\Windows\Tasks\explorha.jobJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeFile created: C:\Windows\Tasks\chrosha.job
                                Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeCode function: 1_2_001C5DC81_2_001C5DC8
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeCode function: 1_2_0020A2201_2_0020A220
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeCode function: 1_2_001C4E601_2_001C4E60
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_0040DD402_2_0040DD40
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_0044A2202_2_0044A220
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_004443302_2_00444330
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_004224A32_2_004224A3
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_004486692_2_00448669
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_004447C82_2_004447C8
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_004322572_2_00432257
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00422C922_2_00422C92
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00448DBB2_2_00448DBB
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00404E602_2_00404E60
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00448EDB2_2_00448EDB
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_004394E32_2_004394E3
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_004254812_2_00425481
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_004278222_2_00427822
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C8917A18_2_6C8917A1
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD33A9A3FA9_2_00007FFD33A9A3FA
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD33A9EADC9_2_00007FFD33A9EADC
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD33AA77F89_2_00007FFD33AA77F8
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD33A99FFB9_2_00007FFD33A99FFB
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD33A99EE09_2_00007FFD33A99EE0
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD33AA06C59_2_00007FFD33AA06C5
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD33AA4DFB9_2_00007FFD33AA4DFB
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD33A9BCFB9_2_00007FFD33A9BCFB
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeCode function: 11_2_006E707B11_2_006E707B
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeCode function: 11_2_006E680911_2_006E6809
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeCode function: 11_2_006A60E011_2_006A60E0
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeCode function: 11_2_006E24D011_2_006E24D0
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeCode function: 11_2_006E296811_2_006E2968
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeCode function: 11_2_006E7EB011_2_006E7EB0
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeCode function: 11_2_006E6F5B11_2_006E6F5B
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeCode function: 11_2_006D778011_2_006D7780
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0094204613_2_00942046
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008D806013_2_008D8060
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0093829813_2_00938298
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0090E4FF13_2_0090E4FF
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0090676B13_2_0090676B
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0096487313_2_00964873
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008FCAA013_2_008FCAA0
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008DCAF013_2_008DCAF0
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008ECC3913_2_008ECC39
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00906DD913_2_00906DD9
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008D91C013_2_008D91C0
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008EB11913_2_008EB119
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008F139413_2_008F1394
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008F781B13_2_008F781B
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008D792013_2_008D7920
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008E997D13_2_008E997D
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008F7A4A13_2_008F7A4A
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008F7CA713_2_008F7CA7
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00909EEE13_2_00909EEE
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0095BE4413_2_0095BE44
                                Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewB[1].exe 919AE827FF59FCBE3DBAEA9E62855A4D27690818189F696CFB5916A88C823226
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeCode function: String function: 001D9750 appears 122 times
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: String function: 008D9CB3 appears 31 times
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: String function: 008F0A30 appears 46 times
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: String function: 008EF9F2 appears 40 times
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: String function: 0041F620 appears 46 times
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: String function: 0041EFE2 appears 84 times
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: String function: 0041ECF8 appears 37 times
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: String function: 0041ECE3 appears 49 times
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: String function: 00419090 appears 44 times
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: String function: 00419750 appears 123 times
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 6C886A40 appears 34 times
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1456 -ip 1456
                                Source: file300un[1].exe.43.drStatic PE information: No import functions for PE file found
                                Source: Startup.exe.43.drStatic PE information: No import functions for PE file found
                                Source: file300un.exe.43.drStatic PE information: No import functions for PE file found
                                Source: tA6etkt3gb.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmp, type: DROPPEDMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
                                Source: tA6etkt3gb.exeStatic PE information: Section: ZLIB complexity 0.998224907841823
                                Source: explorha.exe.1.drStatic PE information: Section: ZLIB complexity 0.998224907841823
                                Source: amert[1].exe.2.drStatic PE information: Section: ZLIB complexity 0.997707902892562
                                Source: amert[1].exe.2.drStatic PE information: Section: cpdfasyf ZLIB complexity 0.9945380036276629
                                Source: amert.exe.2.drStatic PE information: Section: ZLIB complexity 0.997707902892562
                                Source: amert.exe.2.drStatic PE information: Section: cpdfasyf ZLIB complexity 0.9945380036276629
                                Source: random[1].exe0.2.drStatic PE information: Section: ZLIB complexity 0.9915799344885884
                                Source: a14d081f84.exe.2.drStatic PE information: Section: ZLIB complexity 0.9915799344885884
                                Source: sarra[1].exe.2.drStatic PE information: Section: ZLIB complexity 0.991563424556213
                                Source: chrosha.exe.11.drStatic PE information: Section: ZLIB complexity 0.997707902892562
                                Source: chrosha.exe.11.drStatic PE information: Section: cpdfasyf ZLIB complexity 0.9945380036276629
                                Source: RageMP131.exe.17.drStatic PE information: Section: ZLIB complexity 0.9915799344885884
                                Source: MPGPH131.exe.17.drStatic PE information: Section: ZLIB complexity 0.9915799344885884
                                Source: chrosha.exe.11.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                Source: amert[1].exe.2.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                Source: amert.exe.2.drStatic PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
                                Source: file300un[1].exe.43.dr, ArgumentOutOfRangeNotGreaterThanBufferLengthgetApplicationBase.csCryptographic APIs: 'CreateDecryptor'
                                Source: file300un.exe.43.dr, ArgumentOutOfRangeNotGreaterThanBufferLengthgetApplicationBase.csCryptographic APIs: 'CreateDecryptor'
                                Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@143/189@0/27
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_009437B5 GetLastError,FormatMessageW,13_2_009437B5
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_009310BF AdjustTokenPrivileges,CloseHandle,13_2_009310BF
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_009316C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,13_2_009316C3
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_009451CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,13_2_009451CD
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0095A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,13_2_0095A67C
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0094648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,13_2_0094648E
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008D42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,13_2_008D42A2
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile created: C:\Users\user\AppData\Roaming\a091ec0a6e2227Jump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1828:120:WilError_03
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMutant created: NULL
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:2728:64:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7276:120:WilError_03
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8740
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeMutant created: \Sessions\1\BaseNamedObjects\a091ec0a6e22276a96a99c1d34ef679c
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:4788:64:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7516:120:WilError_03
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \BaseNamedObjects\Local\SM0:5960:64:WilError_03
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeMutant created: \Sessions\1\BaseNamedObjects\c1ec479e5342a25940592acf24703eb2
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8784:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8852:120:WilError_03
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8912
                                Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1456
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeFile created: C:\Users\user\AppData\Local\Temp\09fd851a4fJump to behavior
                                Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                                Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                                Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeFile read: C:\Users\desktop.iniJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                                Source: a14d081f84.exe, 00000011.00000003.2443781465.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2670373091.0000000000C11000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001E.00000002.2743444356.0000000000411000.00000040.00000001.01000000.00000014.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                                Source: a14d081f84.exe, 00000011.00000003.2443781465.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2670373091.0000000000C11000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001E.00000002.2743444356.0000000000411000.00000040.00000001.01000000.00000014.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                                Source: rundll32.exe, 00000005.00000002.2505986332.000002B04F52B000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2556620750.0000000007A07000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2544105812.00000000079B5000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2556694676.0000000007A09000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2634715155.0000000007B19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                                Source: tA6etkt3gb.exeReversingLabs: Detection: 39%
                                Source: tA6etkt3gb.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                Source: explorha.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                Source: amert.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeFile read: C:\Users\user\Desktop\tA6etkt3gb.exeJump to behavior
                                Source: unknownProcess created: C:\Users\user\Desktop\tA6etkt3gb.exe "C:\Users\user\Desktop\tA6etkt3gb.exe"
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeProcess created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                                Source: C:\Windows\System32\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe "C:\Users\user\AppData\Local\Temp\1000054001\amert.exe"
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe "C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe "C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe"
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5268 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe "C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=2008,i,7358717374769390442,8105426175949255574,262144 /prefetch:8
                                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                                Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3592 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe "C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe"
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1456 -ip 1456
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 2108
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1612 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 8912 -ip 8912
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8912 -s 2112
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 8740 -ip 8740
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8740 -s 2060
                                Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe "C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=2004,i,17688205100475661311,15377141121242979989,262144 /prefetch:8
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe"
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7480 -ip 7480
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeProcess created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, MainJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, MainJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe "C:\Users\user\AppData\Local\Temp\1000054001\amert.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe "C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe "C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, MainJump to behavior
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5268 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3592 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1612 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=2008,i,7358717374769390442,8105426175949255574,262144 /prefetch:8
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1456 -ip 1456
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 2108
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 8912 -ip 8912
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8912 -s 2112
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 8740 -ip 8740
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8740 -s 2060
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7480 -ip 7480
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe"
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=2004,i,17688205100475661311,15377141121242979989,262144 /prefetch:8
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: mstask.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: dui70.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: duser.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: chartv.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: oleacc.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: atlthunk.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: explorerframe.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kdscli.dllJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: mstask.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: dui70.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: duser.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: chartv.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: oleacc.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: atlthunk.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: textinputframework.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: coreuicomponents.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: coremessaging.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: ntmarta.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: coremessaging.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: wtsapi32.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: winsta.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: textshaping.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: propsys.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: explorerframe.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: windows.fileexplorer.common.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: iertutil.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSection loaded: profapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: wsock32.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: propsys.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: profapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: edputil.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: urlmon.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: iertutil.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: srvcli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: netutils.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: appresolver.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: bcp47langs.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: slc.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: sppc.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: pcacli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: sfc_os.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
                                Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: rstrtmgr.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: ncrypt.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: ntasn1.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: d3d11.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: dxgi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: resourcepolicyclient.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: d3d10warp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: dxcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: ntmarta.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: winhttp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: mswsock.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: devobj.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: webio.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: winnsi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: dnsapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: rasadhlp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: fwpuclnt.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: schannel.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: mskeyprotect.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: ncryptsslp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: msasn1.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: cryptsp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: rsaenh.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: cryptbase.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: gpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: vaultcli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: dpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeSection loaded: apphelp.dll
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: wsock32.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: version.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: mpr.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: userenv.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: windows.storage.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: wldp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: propsys.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: profapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: edputil.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: urlmon.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: iertutil.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: srvcli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: netutils.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: wintypes.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: appresolver.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: bcp47langs.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: slc.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: sppc.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: pcacli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSection loaded: sfc_os.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dll
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: winmm.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: rstrtmgr.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: ncrypt.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: ntasn1.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: d3d11.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: dxgi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: resourcepolicyclient.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: kernel.appcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: d3d10warp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: uxtheme.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: dxcore.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: sspicli.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: winhttp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: wininet.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: mswsock.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: devobj.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: webio.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: iphlpapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: winnsi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: dnsapi.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: rasadhlp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: fwpuclnt.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: schannel.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: mskeyprotect.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: ncryptsslp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: msasn1.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: cryptsp.dll
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSection loaded: rsaenh.dll
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32Jump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                                Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\OfficeJump to behavior
                                Source: tA6etkt3gb.exeStatic file information: File size 3034624 > 1048576
                                Source: tA6etkt3gb.exeStatic PE information: Raw size of mbzyibtj is bigger than: 0x100000 < 0x2b2a00

                                Data Obfuscation

                                barindex
                                Detected unpacking (changes PE section rights)
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeUnpacked PE file: 1.2.tA6etkt3gb.exe.1c0000.0.unpack :EW;.rsrc:W;.idata :W;mbzyibtj:EW;snnxyswc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;mbzyibtj:EW;snnxyswc:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeUnpacked PE file: 2.2.explorha.exe.400000.0.unpack :EW;.rsrc:W;.idata :W;mbzyibtj:EW;snnxyswc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;mbzyibtj:EW;snnxyswc:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeUnpacked PE file: 11.2.amert.exe.6a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cpdfasyf:EW;thtvckdy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cpdfasyf:EW;thtvckdy:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeUnpacked PE file: 17.2.a14d081f84.exe.c10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ylghxgim:EW;rirxhfbq:EW; vs :ER;.rsrc:W;.idata :W; :EW;ylghxgim:EW;rirxhfbq:EW;
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeUnpacked PE file: 18.2.chrosha.exe.ce0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cpdfasyf:EW;thtvckdy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cpdfasyf:EW;thtvckdy:EW;.taggant:EW;
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 30.2.MPGPH131.exe.410000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ylghxgim:EW;rirxhfbq:EW; vs :ER;.rsrc:W;.idata :W; :EW;ylghxgim:EW;rirxhfbq:EW;
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 31.2.MPGPH131.exe.410000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ylghxgim:EW;rirxhfbq:EW; vs :ER;.rsrc:W;.idata :W; :EW;ylghxgim:EW;rirxhfbq:EW;
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeUnpacked PE file: 33.2.a14d081f84.exe.c10000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ylghxgim:EW;rirxhfbq:EW; vs :ER;.rsrc:W;.idata :W; :EW;ylghxgim:EW;rirxhfbq:EW;
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 38.2.RageMP131.exe.580000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ylghxgim:EW;rirxhfbq:EW; vs :ER;.rsrc:W;.idata :W; :EW;ylghxgim:EW;rirxhfbq:EW;
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeUnpacked PE file: 42.2.explorha.exe.400000.0.unpack :EW;.rsrc:W;.idata :W;mbzyibtj:EW;snnxyswc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;mbzyibtj:EW;snnxyswc:EW;.taggant:EW;
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeUnpacked PE file: 43.2.chrosha.exe.ce0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;cpdfasyf:EW;thtvckdy:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;cpdfasyf:EW;thtvckdy:EW;.taggant:EW;
                                .NET source code contains potential unpacker
                                Source: file300un[1].exe.43.dr, getStartTrimEntries.cs.Net Code: FileModeTYPEFLAGFRESTRICTED
                                Source: file300un[1].exe.43.dr, ShiftRightLogicalNarrowingUpperFileReplaceCompletionInformation.cs.Net Code: BindToStoragegetOSThreadId
                                Source: file300un.exe.43.dr, getStartTrimEntries.cs.Net Code: FileModeTYPEFLAGFRESTRICTED
                                Source: file300un.exe.43.dr, ShiftRightLogicalNarrowingUpperFileReplaceCompletionInformation.cs.Net Code: BindToStoragegetOSThreadId
                                Source: BIT826D.tmp.15.drStatic PE information: 0xEC3B20ED [Thu Aug 4 12:07:09 2095 UTC]
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,13_2_008D42DE
                                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                                Source: chrosha.exe.11.drStatic PE information: real checksum: 0x1ca56a should be: 0x1cc8ba
                                Source: clip64.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x1f783
                                Source: amert[1].exe.2.drStatic PE information: real checksum: 0x1ca56a should be: 0x1cc8ba
                                Source: Startup.exe.43.drStatic PE information: real checksum: 0x0 should be: 0x354444
                                Source: explorha.exe.1.drStatic PE information: real checksum: 0x2eae9a should be: 0x2eba03
                                Source: tA6etkt3gb.exeStatic PE information: real checksum: 0x2eae9a should be: 0x2eba03
                                Source: amert.exe.2.drStatic PE information: real checksum: 0x1ca56a should be: 0x1cc8ba
                                Source: cred64[1].dll.2.drStatic PE information: real checksum: 0x0 should be: 0x147ee8
                                Source: cred64.dll.2.drStatic PE information: real checksum: 0x0 should be: 0x147ee8
                                Source: clip64[1].dll.2.drStatic PE information: real checksum: 0x0 should be: 0x1f783
                                Source: tA6etkt3gb.exeStatic PE information: section name:
                                Source: tA6etkt3gb.exeStatic PE information: section name: .idata
                                Source: tA6etkt3gb.exeStatic PE information: section name: mbzyibtj
                                Source: tA6etkt3gb.exeStatic PE information: section name: snnxyswc
                                Source: tA6etkt3gb.exeStatic PE information: section name: .taggant
                                Source: explorha.exe.1.drStatic PE information: section name:
                                Source: explorha.exe.1.drStatic PE information: section name: .idata
                                Source: explorha.exe.1.drStatic PE information: section name: mbzyibtj
                                Source: explorha.exe.1.drStatic PE information: section name: snnxyswc
                                Source: explorha.exe.1.drStatic PE information: section name: .taggant
                                Source: cred64[1].dll.2.drStatic PE information: section name: _RDATA
                                Source: cred64.dll.2.drStatic PE information: section name: _RDATA
                                Source: amert[1].exe.2.drStatic PE information: section name:
                                Source: amert[1].exe.2.drStatic PE information: section name: .idata
                                Source: amert[1].exe.2.drStatic PE information: section name:
                                Source: amert[1].exe.2.drStatic PE information: section name: cpdfasyf
                                Source: amert[1].exe.2.drStatic PE information: section name: thtvckdy
                                Source: amert[1].exe.2.drStatic PE information: section name: .taggant
                                Source: amert.exe.2.drStatic PE information: section name:
                                Source: amert.exe.2.drStatic PE information: section name: .idata
                                Source: amert.exe.2.drStatic PE information: section name:
                                Source: amert.exe.2.drStatic PE information: section name: cpdfasyf
                                Source: amert.exe.2.drStatic PE information: section name: thtvckdy
                                Source: amert.exe.2.drStatic PE information: section name: .taggant
                                Source: random[1].exe0.2.drStatic PE information: section name:
                                Source: random[1].exe0.2.drStatic PE information: section name: .idata
                                Source: random[1].exe0.2.drStatic PE information: section name:
                                Source: random[1].exe0.2.drStatic PE information: section name: ylghxgim
                                Source: random[1].exe0.2.drStatic PE information: section name: rirxhfbq
                                Source: a14d081f84.exe.2.drStatic PE information: section name:
                                Source: a14d081f84.exe.2.drStatic PE information: section name: .idata
                                Source: a14d081f84.exe.2.drStatic PE information: section name:
                                Source: a14d081f84.exe.2.drStatic PE information: section name: ylghxgim
                                Source: a14d081f84.exe.2.drStatic PE information: section name: rirxhfbq
                                Source: sarra[1].exe.2.drStatic PE information: section name:
                                Source: sarra[1].exe.2.drStatic PE information: section name: .idata
                                Source: sarra[1].exe.2.drStatic PE information: section name:
                                Source: sarra[1].exe.2.drStatic PE information: section name: wmoofkkg
                                Source: sarra[1].exe.2.drStatic PE information: section name: sgbeqrzx
                                Source: chrosha.exe.11.drStatic PE information: section name:
                                Source: chrosha.exe.11.drStatic PE information: section name: .idata
                                Source: chrosha.exe.11.drStatic PE information: section name:
                                Source: chrosha.exe.11.drStatic PE information: section name: cpdfasyf
                                Source: chrosha.exe.11.drStatic PE information: section name: thtvckdy
                                Source: chrosha.exe.11.drStatic PE information: section name: .taggant
                                Source: RageMP131.exe.17.drStatic PE information: section name:
                                Source: RageMP131.exe.17.drStatic PE information: section name: .idata
                                Source: RageMP131.exe.17.drStatic PE information: section name:
                                Source: RageMP131.exe.17.drStatic PE information: section name: ylghxgim
                                Source: RageMP131.exe.17.drStatic PE information: section name: rirxhfbq
                                Source: MPGPH131.exe.17.drStatic PE information: section name:
                                Source: MPGPH131.exe.17.drStatic PE information: section name: .idata
                                Source: MPGPH131.exe.17.drStatic PE information: section name:
                                Source: MPGPH131.exe.17.drStatic PE information: section name: ylghxgim
                                Source: MPGPH131.exe.17.drStatic PE information: section name: rirxhfbq
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeCode function: 1_2_001D29A0 push esp; ret 1_2_001D29A1
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeCode function: 1_2_001C9420 push ebx; ret 1_2_001C942A
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeCode function: 1_2_001C8DE6 push esi; iretd 1_2_001C8DE7
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeCode function: 1_2_001DEFBC push ecx; ret 1_2_001DEFCF
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00432257 push 7C13C65Bh; mov dword ptr [esp], ecx2_2_004C0C8F
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00432257 push ebp; mov dword ptr [esp], eax2_2_004C0C95
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00432257 push ebx; mov dword ptr [esp], eax2_2_004C0D73
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00432257 push edi; mov dword ptr [esp], ebx2_2_004C0DEA
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00432257 push edx; mov dword ptr [esp], ecx2_2_004C0DFD
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00432257 push ebp; mov dword ptr [esp], ebx2_2_004C0E28
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00432257 push edx; mov dword ptr [esp], ecx2_2_004C0E4F
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00432257 push esi; mov dword ptr [esp], edx2_2_004C0F04
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_0041EFBC push ecx; ret 2_2_0041EFCF
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_0041F666 push ecx; ret 2_2_0041F679
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C886A86 push ecx; ret 8_2_6C886A99
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD33A97A9A push edi; iretd 9_2_00007FFD33A97A9B
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD33A9C79B push ds; iretd 9_2_00007FFD33A9C7BA
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD33A9E61B push eax; iretd 9_2_00007FFD33A9E74A
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD33A9BE51 push eax; iretd 9_2_00007FFD33A9E74A
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 9_2_00007FFD33A9F48B push FD33CF60h; iretd 9_2_00007FFD33A9F5CA
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeCode function: 11_2_006BD2A1 push ecx; ret 11_2_006BD29F
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008F0A76 push ecx; ret 13_2_008F0A89
                                Source: tA6etkt3gb.exeStatic PE information: section name: entropy: 7.984093015905587
                                Source: explorha.exe.1.drStatic PE information: section name: entropy: 7.984093015905587
                                Source: amert[1].exe.2.drStatic PE information: section name: entropy: 7.982519758788136
                                Source: amert[1].exe.2.drStatic PE information: section name: cpdfasyf entropy: 7.9538252106730924
                                Source: amert.exe.2.drStatic PE information: section name: entropy: 7.982519758788136
                                Source: amert.exe.2.drStatic PE information: section name: cpdfasyf entropy: 7.9538252106730924
                                Source: random[1].exe0.2.drStatic PE information: section name: entropy: 7.9276871374700715
                                Source: random[1].exe0.2.drStatic PE information: section name: ylghxgim entropy: 7.948706747319591
                                Source: a14d081f84.exe.2.drStatic PE information: section name: entropy: 7.9276871374700715
                                Source: a14d081f84.exe.2.drStatic PE information: section name: ylghxgim entropy: 7.948706747319591
                                Source: sarra[1].exe.2.drStatic PE information: section name: entropy: 7.927713953231046
                                Source: sarra[1].exe.2.drStatic PE information: section name: wmoofkkg entropy: 7.950376582524131
                                Source: chrosha.exe.11.drStatic PE information: section name: entropy: 7.982519758788136
                                Source: chrosha.exe.11.drStatic PE information: section name: cpdfasyf entropy: 7.9538252106730924
                                Source: RageMP131.exe.17.drStatic PE information: section name: entropy: 7.9276871374700715
                                Source: RageMP131.exe.17.drStatic PE information: section name: ylghxgim entropy: 7.948706747319591
                                Source: MPGPH131.exe.17.drStatic PE information: section name: entropy: 7.9276871374700715
                                Source: MPGPH131.exe.17.drStatic PE information: section name: ylghxgim entropy: 7.948706747319591

                                Persistence and Installation Behavior

                                barindex
                                Installs new ROOT certificates
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 Blob
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000152001\jok.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewB[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile created: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile created: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\swiiii[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\swiiiii[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Startup[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile created: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\jok[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\file300un[1].exeJump to dropped file
                                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (copy)Jump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\amert[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile created: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\amadka[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000173001\Startup.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\cred64[1].dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\build_1GyXIDXRUC[1].exeJump to dropped file
                                Source: C:\Windows\System32\svchost.exeFile created: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmpJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\gold[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\clip64[1].dllJump to dropped file
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeFile created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000149001\gold.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\sarra[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeFile created: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile created: C:\Users\user\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                                Boot Survival

                                barindex
                                Creates multiple autostart registry keys
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a14d081f84.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fb1076712b.exeJump to behavior
                                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeWindow searched: window name: RegmonClassJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow searched: window name: RegmonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow searched: window name: FilemonClassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow searched: window name: RegmonclassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow searched: window name: FilemonclassJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeWindow searched: window name: RegmonClass
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeWindow searched: window name: Regmonclass
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeWindow searched: window name: Filemonclass
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: RegmonClass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow searched: window name: RegmonClass
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: RegmonClass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: FilemonClass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: Regmonclass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: Filemonclass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: PROCMON_WINDOW_CLASS
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeWindow searched: window name: Regmonclass
                                Uses schtasks.exe or at.exe to add and modify task schedules
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeFile created: C:\Windows\Tasks\explorha.jobJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fb1076712b.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run fb1076712b.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a14d081f84.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run a14d081f84.exeJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131

                                Hooking and other Techniques for Hiding and Protection

                                barindex
                                Loading BitLocker PowerShell Module
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008EF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,13_2_008EF98E
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00961C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,13_2_00961C41
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Found API chain indicative of sandbox detection
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
                                Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_1-9633
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_11-10413
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                                Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                                Query firmware table information (likely to detect VMs)
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSystem information queried: FirmwareTableInformation
                                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile opened: HKEY_CURRENT_USER\Software\Wine
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
                                Tries to detect virtualization through RDTSC time measurements
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3ACCEE second address: 3ACCF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3ACCF7 second address: 3ACCFC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3ACCFC second address: 3ACD07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3ACD07 second address: 3ACD0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AD290 second address: 3AD29A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007F20B51B85B6h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AD29A second address: 3AD29E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AD3DA second address: 3AD3EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F20B51B85BCh 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AD3EE second address: 3AD402 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78D9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AD402 second address: 3AD406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AD406 second address: 3AD40A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AD40A second address: 3AD426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F20B51B85C0h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AD426 second address: 3AD42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AD42A second address: 3AD430 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AD430 second address: 3AD436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AF584 second address: 3AF58A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AF58A second address: 3AF5A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jl 00007F20B4C78D96h 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AF5A3 second address: 3AF5CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 mov dword ptr [ebp+124505C8h], edx 0x0000000e push 00000000h 0x00000010 jmp 00007F20B51B85BBh 0x00000015 call 00007F20B51B85B9h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AF5CC second address: 3AF633 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F20B4C78D9Dh 0x0000000e popad 0x0000000f push eax 0x00000010 pushad 0x00000011 push esi 0x00000012 jmp 00007F20B4C78D9Fh 0x00000017 pop esi 0x00000018 jg 00007F20B4C78D9Ch 0x0000001e popad 0x0000001f mov eax, dword ptr [esp+04h] 0x00000023 push ebx 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a pop ebx 0x0000002b mov eax, dword ptr [eax] 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F20B4C78DA3h 0x00000034 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AF633 second address: 3AF6B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F20B51B85B6h 0x00000009 jmp 00007F20B51B85BBh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 js 00007F20B51B85BCh 0x0000001b pushad 0x0000001c push esi 0x0000001d pop esi 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 pop eax 0x00000022 jno 00007F20B51B85BCh 0x00000028 mov dword ptr [ebp+122D282Bh], ebx 0x0000002e push 00000003h 0x00000030 mov esi, eax 0x00000032 push 00000000h 0x00000034 mov edx, dword ptr [ebp+122D39C2h] 0x0000003a push 00000003h 0x0000003c mov ecx, 0FE685C9h 0x00000041 mov dx, 6B00h 0x00000045 push 645A761Fh 0x0000004a push esi 0x0000004b push ebx 0x0000004c jg 00007F20B51B85B6h 0x00000052 pop ebx 0x00000053 pop esi 0x00000054 add dword ptr [esp], 5BA589E1h 0x0000005b movsx edx, ax 0x0000005e lea ebx, dword ptr [ebp+12454471h] 0x00000064 mov di, 941Ch 0x00000068 add edi, 4E3FF508h 0x0000006e xchg eax, ebx 0x0000006f push eax 0x00000070 push edx 0x00000071 push edx 0x00000072 push edx 0x00000073 pop edx 0x00000074 pop edx 0x00000075 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AF6B4 second address: 3AF6BE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F20B4C78D9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AF868 second address: 3AF86E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AF86E second address: 3AF89A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jne 00007F20B4C78D9Ch 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AF89A second address: 3AF8E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F20B51B85C8h 0x00000008 jbe 00007F20B51B85B6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push edi 0x00000016 jmp 00007F20B51B85BFh 0x0000001b pop edi 0x0000001c mov eax, dword ptr [eax] 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F20B51B85BFh 0x00000025 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AF8E6 second address: 3AF8EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AF8EC second address: 3AF8F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AF8F0 second address: 3AF8F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AFA40 second address: 3AFA44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AFA44 second address: 3AFA4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AFA4A second address: 3AFA76 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 65E51292h 0x0000000f xor ecx, dword ptr [ebp+122D3946h] 0x00000015 lea ebx, dword ptr [ebp+12454485h] 0x0000001b xchg eax, ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F20B51B85BCh 0x00000025 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AFA76 second address: 3AFA7C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AFA7C second address: 3AFA96 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F20B51B85BCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jbe 00007F20B51B85C4h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3AFA96 second address: 3AFA9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CE5F2 second address: 3CE609 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CE609 second address: 3CE61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F20B4C78D9Dh 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CE61C second address: 3CE621 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CE7A8 second address: 3CE7AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CE7AC second address: 3CE7E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a popad 0x0000000b pushad 0x0000000c jp 00007F20B51B85B8h 0x00000012 jnl 00007F20B51B85C8h 0x00000018 jng 00007F20B51B85B8h 0x0000001e push edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CE910 second address: 3CE945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F20B4C78D96h 0x0000000a jmp 00007F20B4C78DA0h 0x0000000f popad 0x00000010 jp 00007F20B4C78D98h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 pop esi 0x00000019 pushad 0x0000001a jmp 00007F20B4C78D9Ch 0x0000001f push eax 0x00000020 push edx 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CEAC8 second address: 3CEACE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CEACE second address: 3CEAD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CEC0E second address: 3CEC12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CED86 second address: 3CED93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CED93 second address: 3CED99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CED99 second address: 3CED9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CF2FD second address: 3CF301 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CF3FB second address: 3CF3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CF3FF second address: 3CF407 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CF407 second address: 3CF414 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F20B4C78D98h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CF6B9 second address: 3CF6BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CF6BF second address: 3CF6D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F20B4C78D96h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CF6D1 second address: 3CF6D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3C4CDB second address: 3C4CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F20B4C78D96h 0x0000000a popad 0x0000000b jmp 00007F20B4C78DA7h 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3C4CFD second address: 3C4D1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F20B51B85BFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3C4D1A second address: 3C4D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F20B4C78D96h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3C4D24 second address: 3C4D28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3C4D28 second address: 3C4D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jg 00007F20B4C78D9Eh 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3C4D3E second address: 3C4D5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20B51B85C5h 0x00000009 jo 00007F20B51B85B6h 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3A6112 second address: 3A6122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20B4C78D9Ch 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3A6122 second address: 3A6126 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3A6126 second address: 3A6139 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20B4C78D9Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CF807 second address: 3CF80C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CF80C second address: 3CF818 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F20B4C78D9Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CF818 second address: 3CF825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jp 00007F20B51B85B6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CF825 second address: 3CF844 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c jne 00007F20B4C78D96h 0x00000012 jmp 00007F20B4C78D9Ch 0x00000017 pop edx 0x00000018 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3CFDBD second address: 3CFDC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3D0108 second address: 3D0136 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F20B4C78DA6h 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3D0136 second address: 3D015C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F20B51B85CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007F20B51B85B6h 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3D015C second address: 3D0186 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F20B4C78D96h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 jne 00007F20B4C78D96h 0x0000001e jmp 00007F20B4C78D9Ah 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3D02C5 second address: 3D0303 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20B51B85C6h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F20B51B85C5h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 pop eax 0x00000014 push edi 0x00000015 pop edi 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3D0303 second address: 3D0307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3C4D3A second address: 3C4D3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3D44CF second address: 3D44D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3A2B09 second address: 3A2B0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3DB3FA second address: 3DB400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 396E82 second address: 396E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F20B51B85B6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 396E92 second address: 396E96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3DA84E second address: 3DA871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F20B51B85D2h 0x0000000b jmp 00007F20B51B85C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3DA9C0 second address: 3DA9D0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F20B4C78D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3DA9D0 second address: 3DA9D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3DA9D4 second address: 3DA9D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3DB0AD second address: 3DB0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3DD356 second address: 3DD35B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3DD35B second address: 3DD360 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3DDE6B second address: 3DDE71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3DE09C second address: 3DE0A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3DE719 second address: 3DE722 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3DF0EC second address: 3DF0F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E0C2F second address: 3E0C33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E16E0 second address: 3E16F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F20B51B85BBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E1446 second address: 3E1466 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E16F0 second address: 3E1714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F20B51B85C9h 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E1466 second address: 3E146C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E1714 second address: 3E1739 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F20B51B85C2h 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E146C second address: 3E1476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F20B4C78D96h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E20B7 second address: 3E20BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E2A43 second address: 3E2ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnc 00007F20B4C78D98h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F20B4C78D98h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 mov dword ptr [ebp+122D1C61h], edi 0x0000002f mov di, D95Fh 0x00000033 push 00000000h 0x00000035 mov dword ptr [ebp+122D2844h], edx 0x0000003b mov dword ptr [ebp+122D2CB0h], ecx 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push ebx 0x00000046 call 00007F20B4C78D98h 0x0000004b pop ebx 0x0000004c mov dword ptr [esp+04h], ebx 0x00000050 add dword ptr [esp+04h], 0000001Dh 0x00000058 inc ebx 0x00000059 push ebx 0x0000005a ret 0x0000005b pop ebx 0x0000005c ret 0x0000005d push eax 0x0000005e pushad 0x0000005f jmp 00007F20B4C78DA0h 0x00000064 push eax 0x00000065 push edx 0x00000066 push edx 0x00000067 pop edx 0x00000068 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E2ACA second address: 3E2ACE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E3471 second address: 3E3477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E31F9 second address: 3E321B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pushad 0x00000008 jnp 00007F20B51B85C6h 0x0000000e jmp 00007F20B51B85C0h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E6F40 second address: 3E6F5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F20B4C78DA5h 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E81AF second address: 3E81CC instructions: 0x00000000 rdtsc 0x00000002 jp 00007F20B51B85B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F20B51B85BDh 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E81CC second address: 3E81D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E916E second address: 3E917E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20B51B85BBh 0x00000009 popad 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3EB0BF second address: 3EB0C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3EB0C5 second address: 3EB0DE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F20B51B85BCh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3EA27D second address: 3EA283 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3EA283 second address: 3EA2A3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F20B51B85C0h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3EC204 second address: 3EC2B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F20B4C78DA5h 0x00000008 jno 00007F20B4C78D96h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jbe 00007F20B4C78DB2h 0x00000018 jnc 00007F20B4C78DACh 0x0000001e nop 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push esi 0x00000024 call 00007F20B4C78D98h 0x00000029 pop esi 0x0000002a mov dword ptr [esp+04h], esi 0x0000002e add dword ptr [esp+04h], 00000015h 0x00000036 inc esi 0x00000037 push esi 0x00000038 ret 0x00000039 pop esi 0x0000003a ret 0x0000003b call 00007F20B4C78DA9h 0x00000040 mov dword ptr [ebp+122D21B3h], edi 0x00000046 pop edi 0x00000047 push 00000000h 0x00000049 sbb edi, 5A66619Fh 0x0000004f xchg eax, esi 0x00000050 jmp 00007F20B4C78D9Dh 0x00000055 push eax 0x00000056 jp 00007F20B4C78DAEh 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F20B4C78D9Ch 0x00000063 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3ED437 second address: 3ED491 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007F20B51B85B8h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 00000019h 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 push 00000000h 0x00000029 mov di, 4775h 0x0000002d push 00000000h 0x0000002f mov edi, dword ptr [ebp+122D292Fh] 0x00000035 push eax 0x00000036 pushad 0x00000037 pushad 0x00000038 jne 00007F20B51B85B6h 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3ED491 second address: 3ED49A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3EE4C7 second address: 3EE4CC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3ED6E4 second address: 3ED6ED instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F098F second address: 3F099B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F20B51B85BCh 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F099B second address: 3F09B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 jmp 00007F20B4C78D9Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F1A83 second address: 3F1A89 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F1A89 second address: 3F1B01 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F20B4C78DA0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov edi, dword ptr [ebp+122D1EA5h] 0x00000014 push 00000000h 0x00000016 jmp 00007F20B4C78DA4h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007F20B4C78D98h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 sub dword ptr [ebp+12476F31h], esi 0x0000003d xchg eax, esi 0x0000003e jng 00007F20B4C78DA0h 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a popad 0x0000004b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F1B01 second address: 3F1B05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F1B05 second address: 3F1B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F1B0B second address: 3F1B10 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F2BBC second address: 3F2BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jp 00007F20B4C78D96h 0x0000000c jmp 00007F20B4C78D9Eh 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F2BDE second address: 3F2BE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F3CE6 second address: 3F3D44 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F20B4C78D98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d cld 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F20B4C78D98h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a mov di, 0F05h 0x0000002e xor edi, dword ptr [ebp+122D2A55h] 0x00000034 push 00000000h 0x00000036 jnl 00007F20B4C78D9Ch 0x0000003c push eax 0x0000003d pushad 0x0000003e jmp 00007F20B4C78DA1h 0x00000043 push esi 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F1C74 second address: 3F1C78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F1C78 second address: 3F1C87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F1C87 second address: 3F1C91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F20B51B85B6h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F4CC4 second address: 3F4D28 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F20B4C78DA3h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, ebx 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F20B4C78D98h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b sbb bx, 4267h 0x00000030 push 00000000h 0x00000032 jnc 00007F20B4C78D9Eh 0x00000038 push ecx 0x00000039 mov edi, dword ptr [ebp+122D380Eh] 0x0000003f pop ebx 0x00000040 xchg eax, esi 0x00000041 jnp 00007F20B4C78DAFh 0x00000047 push eax 0x00000048 push edx 0x00000049 jno 00007F20B4C78D96h 0x0000004f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F1C91 second address: 3F1C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F1D49 second address: 3F1D4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F1D4D second address: 3F1D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F1D57 second address: 3F1D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F5DC4 second address: 3F5DD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F20B51B85B6h 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F5DD1 second address: 3F5E43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007F20B4C78D9Dh 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebp 0x00000014 call 00007F20B4C78D98h 0x00000019 pop ebp 0x0000001a mov dword ptr [esp+04h], ebp 0x0000001e add dword ptr [esp+04h], 00000019h 0x00000026 inc ebp 0x00000027 push ebp 0x00000028 ret 0x00000029 pop ebp 0x0000002a ret 0x0000002b mov edi, 2C0D7C5Bh 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 adc edi, 33FE45BFh 0x00000039 pop ebx 0x0000003a xchg eax, esi 0x0000003b jp 00007F20B4C78DA8h 0x00000041 jmp 00007F20B4C78DA2h 0x00000046 push eax 0x00000047 pushad 0x00000048 pushad 0x00000049 jns 00007F20B4C78D96h 0x0000004f pushad 0x00000050 popad 0x00000051 popad 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F4F4B second address: 3F4F4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F4F4F second address: 3F4F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F70D8 second address: 3F70F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F70F9 second address: 3F70FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F7FED second address: 3F8072 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F20B51B85CCh 0x00000008 jmp 00007F20B51B85C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 clc 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push edx 0x0000001d call 00007F20B51B85B8h 0x00000022 pop edx 0x00000023 mov dword ptr [esp+04h], edx 0x00000027 add dword ptr [esp+04h], 00000015h 0x0000002f inc edx 0x00000030 push edx 0x00000031 ret 0x00000032 pop edx 0x00000033 ret 0x00000034 adc di, 90A2h 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 je 00007F20B51B85C9h 0x00000046 jmp 00007F20B51B85C3h 0x0000004b mov eax, dword ptr [ebp+122D0C35h] 0x00000051 sub edi, dword ptr [ebp+122D1E5Dh] 0x00000057 push FFFFFFFFh 0x00000059 mov bx, F63Eh 0x0000005d nop 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F8072 second address: 3F8076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3F8076 second address: 3F809F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F20B51B85C8h 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3FB44D second address: 3FB466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F20B4C78D9Bh 0x0000000b js 00007F20B4C78D96h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3FBF26 second address: 3FBF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F20B51B85B6h 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3A7C0E second address: 3A7C14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3A7C14 second address: 3A7C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 402BE8 second address: 402BED instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 402BED second address: 402BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jg 00007F20B51B85B6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 40B128 second address: 40B130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 40B130 second address: 40B153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F20B51B85B8h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F20B51B85BEh 0x00000012 ja 00007F20B51B85B6h 0x00000018 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 40B153 second address: 40B188 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jg 00007F20B4C78D98h 0x00000011 pushad 0x00000012 jno 00007F20B4C78D96h 0x00000018 jng 00007F20B4C78D96h 0x0000001e jo 00007F20B4C78D96h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 40B962 second address: 40B967 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 40B967 second address: 40B97A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 js 00007F20B4C78DA0h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 40FF53 second address: 40FF73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C0h 0x00000007 ja 00007F20B51B85B6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 40FF73 second address: 40FF7D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F20B4C78D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4100CA second address: 4100E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C5h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4100E4 second address: 4100EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4100EA second address: 410107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F20B51B85BEh 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 410107 second address: 41010B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 41010B second address: 410111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 410111 second address: 410125 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 js 00007F20B4C78D96h 0x00000009 jnc 00007F20B4C78D96h 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4103DD second address: 4103E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4103E5 second address: 4103FA instructions: 0x00000000 rdtsc 0x00000002 jno 00007F20B4C78DA0h 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4106F1 second address: 4106F7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 41084C second address: 41088F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F20B4C78DA5h 0x0000000e jmp 00007F20B4C78DA5h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F20B4C78D9Eh 0x0000001a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 416522 second address: 416527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 414F8F second address: 414F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 415116 second address: 415142 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F20B51B85B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jl 00007F20B51B85B6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F20B51B85C4h 0x0000001d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 415142 second address: 41515E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F20B4C78D9Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4156AD second address: 4156B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4156B1 second address: 4156B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4156B7 second address: 4156C3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F20B51B85BEh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 415B41 second address: 415B45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 415E29 second address: 415E3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BBh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 415E3A second address: 415E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20B4C78DA9h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 415E57 second address: 415E5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 415F8F second address: 415F9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20B4C78D9Ch 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 415F9F second address: 415FA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 39F350 second address: 39F356 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 39F356 second address: 39F35B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E505E second address: 3E5063 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E53DC second address: 3E53E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E53E0 second address: 3E53E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E54C6 second address: 3E54CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E55C2 second address: 3E55C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E55C6 second address: 3E55CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E55CF second address: 3E5618 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F20B4C78D9Bh 0x0000000e jl 00007F20B4C78D96h 0x00000014 popad 0x00000015 pop edx 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jmp 00007F20B4C78DA7h 0x0000001f mov eax, dword ptr [eax] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 ja 00007F20B4C78D96h 0x0000002a jo 00007F20B4C78D96h 0x00000030 popad 0x00000031 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E5618 second address: 3E5633 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E583D second address: 3E584F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20B4C78D9Eh 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E584F second address: 3E5897 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 add dword ptr [ebp+122D1D70h], ecx 0x0000000f sub dword ptr [ebp+12476F39h], ebx 0x00000015 nop 0x00000016 pushad 0x00000017 jg 00007F20B51B85B8h 0x0000001d push esi 0x0000001e pop esi 0x0000001f jmp 00007F20B51B85BBh 0x00000024 popad 0x00000025 push eax 0x00000026 je 00007F20B51B85D6h 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F20B51B85C4h 0x00000033 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E5A81 second address: 3E5A9E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78D9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jg 00007F20B4C78D96h 0x00000014 pop ebx 0x00000015 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E5A9E second address: 3E5AA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E5AA4 second address: 3E5AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E5AA8 second address: 3E5AAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E5AAC second address: 3E5AFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007F20B4C78D98h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 mov dx, cx 0x00000026 push 00000004h 0x00000028 mov dword ptr [ebp+122D1C91h], esi 0x0000002e nop 0x0000002f jnp 00007F20B4C78DBCh 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F20B4C78DA1h 0x0000003c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E5AFA second address: 3E5B16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E5E97 second address: 3E5EEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jmp 00007F20B4C78DA4h 0x00000011 movsx edi, di 0x00000014 push 0000001Eh 0x00000016 push 00000000h 0x00000018 push edi 0x00000019 call 00007F20B4C78D98h 0x0000001e pop edi 0x0000001f mov dword ptr [esp+04h], edi 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc edi 0x0000002c push edi 0x0000002d ret 0x0000002e pop edi 0x0000002f ret 0x00000030 push eax 0x00000031 jl 00007F20B4C78D9Eh 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E61D6 second address: 3E61DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E61DA second address: 3E61E0 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3E62F6 second address: 3E62FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 41A172 second address: 41A17A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 41A479 second address: 41A485 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jl 00007F20B51B85B6h 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 41A485 second address: 41A489 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 41A756 second address: 41A75C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 42112F second address: 42114D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F20B4C78D96h 0x0000000a jmp 00007F20B4C78DA4h 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 41FFF4 second address: 41FFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 41FB13 second address: 41FB33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F20B4C78DA6h 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop ebx 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 41FB33 second address: 41FB6F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F20B51B85E0h 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F20B51B85B6h 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 42087B second address: 420884 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 420884 second address: 42088E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F20B51B85C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 42088E second address: 420894 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 420894 second address: 42089B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 420B79 second address: 420B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 420B80 second address: 420B94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F20B51B85BEh 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 420E79 second address: 420E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 424394 second address: 424398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 424398 second address: 4243B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F20B4C78DA1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4243B4 second address: 4243BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4243BA second address: 4243E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007F20B4C78D9Fh 0x0000000b pop ebx 0x0000000c jng 00007F20B4C78DAAh 0x00000012 jmp 00007F20B4C78D9Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3A0E1B second address: 3A0E47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F20B51B85C2h 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3A0E47 second address: 3A0E76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b jmp 00007F20B4C78DA5h 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3A0E76 second address: 3A0E9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push esi 0x0000000a jmp 00007F20B51B85C3h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3A0E9A second address: 3A0E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 3A0E9E second address: 3A0EA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 42A03B second address: 42A042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 42CABA second address: 42CAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F20B51B85B6h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43217B second address: 432196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F20B4C78DA6h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4324BD second address: 4324C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 436E12 second address: 436E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 436E18 second address: 436E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F20B51B85BBh 0x0000000d pushad 0x0000000e jmp 00007F20B51B85C6h 0x00000013 jmp 00007F20B51B85C1h 0x00000018 ja 00007F20B51B85B6h 0x0000001e popad 0x0000001f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 437184 second address: 43718A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43718A second address: 43719E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F20B51B85B6h 0x0000000e js 00007F20B51B85B6h 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43719E second address: 4371B3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F20B4C78D98h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4371B3 second address: 4371BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F20B51B85B6h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4371BD second address: 4371C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4371C1 second address: 4371E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20B51B85C8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4371E5 second address: 4371E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4371E9 second address: 4371EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4371EF second address: 4371F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4371F5 second address: 437205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20B51B85BCh 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 438231 second address: 438237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 438237 second address: 438256 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F20B51B85BEh 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007F20B51B85B8h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43AC41 second address: 43AC47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43AC47 second address: 43AC4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43ADEF second address: 43ADF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43ADF3 second address: 43AE0B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F20B51B85B6h 0x00000008 jmp 00007F20B51B85BAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43AE0B second address: 43AE11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43AE11 second address: 43AE3E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007F20B51B85BCh 0x00000012 jns 00007F20B51B85B6h 0x00000018 jmp 00007F20B51B85BBh 0x0000001d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43AE3E second address: 43AE43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43AFC2 second address: 43AFD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20B51B85BDh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43B2A9 second address: 43B2B6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43D8F6 second address: 43D8FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43D8FA second address: 43D900 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 43D900 second address: 43D905 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 442E35 second address: 442E3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 442E3B second address: 442E41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 442E41 second address: 442E47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 443401 second address: 443408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 443408 second address: 44342A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F20B4C78D9Eh 0x0000000e jg 00007F20B4C78D9Ch 0x00000014 jno 00007F20B4C78D96h 0x0000001a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 44BFE9 second address: 44C000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a ja 00007F20B51B85B6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 44C000 second address: 44C00A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F20B4C78D96h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 44C2D0 second address: 44C2EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F20B51B85BAh 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 44C2EE second address: 44C2F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 44C5A1 second address: 44C5AB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F20B51B85C2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 44C5AB second address: 44C5B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 44C9EF second address: 44C9F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 44C9F7 second address: 44C9FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 45475F second address: 454764 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4528D9 second address: 4528DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4528DD second address: 4528E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4528E3 second address: 4528EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 452D7E second address: 452D9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F20B51B85B6h 0x00000009 jns 00007F20B51B85B6h 0x0000000f push edx 0x00000010 pop edx 0x00000011 jnc 00007F20B51B85B6h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 452EF9 second address: 452F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F20B4C78D96h 0x0000000a pop eax 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 45308E second address: 4530AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F20B51B85C4h 0x0000000a js 00007F20B51B85BCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4530AF second address: 4530CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F20B4C78DA6h 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 453224 second address: 453229 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 453229 second address: 453231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4534CA second address: 4534D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 453795 second address: 4537A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F20B4C78D96h 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4537A8 second address: 4537B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 453E2E second address: 453E4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F20B4C78DA4h 0x0000000d pop eax 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 453E4B second address: 453E6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 ja 00007F20B51B85B6h 0x00000009 jmp 00007F20B51B85BDh 0x0000000e pop eax 0x0000000f pushad 0x00000010 jc 00007F20B51B85B6h 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 453E6D second address: 453E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c jmp 00007F20B4C78DA9h 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 453E92 second address: 453E96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 453E96 second address: 453EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jo 00007F20B4C78D96h 0x0000000d jnl 00007F20B4C78D96h 0x00000013 pop edi 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 457A2F second address: 457A5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F20B51B85C2h 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 45EDB8 second address: 45EDBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 45E884 second address: 45E893 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F20B51B85BAh 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 46037A second address: 460382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 46B2F7 second address: 46B30F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F20B51B85C2h 0x00000010 jnc 00007F20B51B85B6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 46B30F second address: 46B313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4729A3 second address: 4729BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BCh 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007F20B51B85B6h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 47FDBF second address: 47FDC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 47FDC3 second address: 47FDC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 47FDC9 second address: 47FDD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 482BB6 second address: 482BCE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BCh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 482BCE second address: 482BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 488645 second address: 48864B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 48864B second address: 488659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jng 00007F20B4C78D96h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 488659 second address: 488699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 jnc 00007F20B51B85CDh 0x0000000f popad 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007F20B51B85B6h 0x00000019 jmp 00007F20B51B85C0h 0x0000001e rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 488699 second address: 48869D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 48869D second address: 4886A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 486F61 second address: 486F65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 487126 second address: 487141 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C5h 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 48728D second address: 48729F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78D9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 489C1D second address: 489C23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 489C23 second address: 489C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 48C28F second address: 48C2D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20B51B85C5h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F20B51B85BEh 0x00000011 jmp 00007F20B51B85C8h 0x00000016 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 48C2D1 second address: 48C2D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 48C2D5 second address: 48C2F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 js 00007F20B51B85C2h 0x0000000e jnp 00007F20B51B85B6h 0x00000014 ja 00007F20B51B85B6h 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 48C2F3 second address: 48C2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F20B4C78D96h 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 48C2FD second address: 48C30D instructions: 0x00000000 rdtsc 0x00000002 jng 00007F20B51B85B6h 0x00000008 jbe 00007F20B51B85B6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 48FD1B second address: 48FD21 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 48FD21 second address: 48FD37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20B51B85C0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 48FD37 second address: 48FD3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 48FD3B second address: 48FD50 instructions: 0x00000000 rdtsc 0x00000002 je 00007F20B51B85B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c pop edi 0x0000000d jnp 00007F20B51B85B6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C974 second address: 49C97D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C97D second address: 49C983 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C983 second address: 49C989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C989 second address: 49C98D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C98D second address: 49C9B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA0h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F20B4C78DA4h 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4B0AE7 second address: 4B0AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push edx 0x0000000a je 00007F20B51B85B6h 0x00000010 pop edx 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4B0AF8 second address: 4B0B02 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F20B4C78DA2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4B0B02 second address: 4B0B08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CB6C7 second address: 4CB6E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F20B4C78DA8h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CB6E7 second address: 4CB6ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CB6ED second address: 4CB6F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CB6F3 second address: 4CB6FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jng 00007F20B51B85B6h 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CB6FF second address: 4CB70F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F20B4C78D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CB70F second address: 4CB717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CB717 second address: 4CB71F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CA728 second address: 4CA778 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F20B51B85B6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ecx 0x0000000d pushad 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 jmp 00007F20B51B85C8h 0x00000016 popad 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F20B51B85BDh 0x0000001f jmp 00007F20B51B85BDh 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CA778 second address: 4CA77C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CA77C second address: 4CA786 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F20B51B85B6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CA786 second address: 4CA792 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CA792 second address: 4CA796 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CA8E9 second address: 4CA8ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CA8ED second address: 4CA8F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CA8F5 second address: 4CA915 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F20B4C78DA7h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CA915 second address: 4CA91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CA91B second address: 4CA940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F20B4C78DA8h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CA940 second address: 4CA946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CA946 second address: 4CA950 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F20B4C78D96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CA950 second address: 4CA958 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CAC34 second address: 4CAC38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CB065 second address: 4CB08D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 je 00007F20B51B85B6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop esi 0x0000000c jmp 00007F20B51B85BFh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jo 00007F20B51B85BEh 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CCDB2 second address: 4CCDCD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F20B4C78D96h 0x00000008 jmp 00007F20B4C78DA1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CCDCD second address: 4CCDE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20B51B85C1h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CCDE2 second address: 4CCE04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78D9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F20B4C78D9Eh 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4CE3D5 second address: 4CE3D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4D0D25 second address: 4D0D2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4D1020 second address: 4D10AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jo 00007F20B51B85C8h 0x0000000b jmp 00007F20B51B85C2h 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 pushad 0x00000014 jmp 00007F20B51B85C6h 0x00000019 jmp 00007F20B51B85C6h 0x0000001e popad 0x0000001f pop eax 0x00000020 nop 0x00000021 sub dword ptr [ebp+122D2855h], ebx 0x00000027 push 00000004h 0x00000029 stc 0x0000002a call 00007F20B51B85B9h 0x0000002f jp 00007F20B51B85BEh 0x00000035 jo 00007F20B51B85B8h 0x0000003b pushad 0x0000003c popad 0x0000003d push eax 0x0000003e ja 00007F20B51B85C0h 0x00000044 jmp 00007F20B51B85BAh 0x00000049 mov eax, dword ptr [esp+04h] 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 pushad 0x00000051 popad 0x00000052 pushad 0x00000053 popad 0x00000054 popad 0x00000055 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4D10AD second address: 4D10BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20B4C78D9Ah 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4D10BB second address: 4D10CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4D10CA second address: 4D10CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4D2CA4 second address: 4D2CA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4D2CA8 second address: 4D2CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4D2CAC second address: 4D2CB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4D285D second address: 4D2861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49E0486 second address: 49E048A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49E048A second address: 49E0490 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49E0490 second address: 49E0496 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49E0496 second address: 49E04B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a movzx ecx, bx 0x0000000d mov bx, 1CE0h 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov edx, 7D942B36h 0x0000001b mov si, di 0x0000001e popad 0x0000001f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49E04B5 second address: 49E04C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20B51B85BFh 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A10509 second address: 4A1057C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F20B4C78D9Fh 0x00000009 and ax, 93EEh 0x0000000e jmp 00007F20B4C78DA9h 0x00000013 popfd 0x00000014 mov di, si 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b pushad 0x0000001c mov edx, 2ECEA14Eh 0x00000021 mov esi, edx 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 jmp 00007F20B4C78DA1h 0x0000002a mov ebp, esp 0x0000002c pushad 0x0000002d mov edi, esi 0x0000002f mov eax, 2394044Fh 0x00000034 popad 0x00000035 pop ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F20B4C78DA1h 0x0000003d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A00BE second address: 49A00DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A00DB second address: 49A00FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, 044Eh 0x00000011 push edi 0x00000012 pop esi 0x00000013 popad 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A00FB second address: 49A014B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F20B51B85BCh 0x0000000b sub cx, A198h 0x00000010 jmp 00007F20B51B85BBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a jmp 00007F20B51B85C9h 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F20B51B85BDh 0x00000027 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A014B second address: 49A0152 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0152 second address: 49A017F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 jmp 00007F20B51B85BFh 0x0000000e push dword ptr [ebp+04h] 0x00000011 pushad 0x00000012 mov dx, cx 0x00000015 mov cx, 8107h 0x00000019 popad 0x0000001a push dword ptr [ebp+0Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A017F second address: 49A0183 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0183 second address: 49A0189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0F10 second address: 49C0F16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0F16 second address: 49C0F1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0F1A second address: 49C0F40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F20B4C78DA9h 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0F40 second address: 49C0F46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0F46 second address: 49C0F4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0F4C second address: 49C0F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0F50 second address: 49C0F6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F20B4C78D9Ch 0x00000013 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0F6A second address: 49C0F79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0F79 second address: 49C0F7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0AB3 second address: 49C0AD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F20B51B85BFh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0AD4 second address: 49C0AD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0AD8 second address: 49C0ADC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0ADC second address: 49C0AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0AE2 second address: 49C0AE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0AE8 second address: 49C0AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0AEC second address: 49C0B26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F20B51B85BDh 0x00000011 pushfd 0x00000012 jmp 00007F20B51B85C0h 0x00000017 xor ah, 00000038h 0x0000001a jmp 00007F20B51B85BBh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0A3E second address: 49C0A44 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0A44 second address: 49C0A4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C0A4A second address: 49C0A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C06B7 second address: 49C06BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C06BD second address: 49C06C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C06C1 second address: 49C06D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov edi, ecx 0x0000000c mov bh, al 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C06D6 second address: 49C06DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C06DA second address: 49C0745 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ch, A3h 0x0000000b popad 0x0000000c mov ebp, esp 0x0000000e jmp 00007F20B51B85C3h 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov edi, 746788B6h 0x0000001c pushfd 0x0000001d jmp 00007F20B51B85C7h 0x00000022 or eax, 220CA13Eh 0x00000028 jmp 00007F20B51B85C9h 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49D0480 second address: 49D0486 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49D0486 second address: 49D04D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov di, E3D0h 0x00000011 pushfd 0x00000012 jmp 00007F20B51B85C9h 0x00000017 adc eax, 47E4E056h 0x0000001d jmp 00007F20B51B85C1h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49D04D7 second address: 49D04FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F20B4C78D9Ch 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49D04FB second address: 49D056A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F20B51B85C4h 0x00000010 push esi 0x00000011 mov ecx, edx 0x00000013 pop edx 0x00000014 popad 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F20B51B85C5h 0x00000020 add esi, 3DB90726h 0x00000026 jmp 00007F20B51B85C1h 0x0000002b popfd 0x0000002c call 00007F20B51B85C0h 0x00000031 pop ecx 0x00000032 popad 0x00000033 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49D056A second address: 49D0585 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20B4C78DA7h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49D0585 second address: 49D0589 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A1040A second address: 4A1040E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A1040E second address: 4A10412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A10412 second address: 4A10418 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A10418 second address: 4A10444 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushad 0x0000000c mov di, ax 0x0000000f mov edx, eax 0x00000011 popad 0x00000012 mov edx, esi 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov ecx, 37EC103Fh 0x0000001e mov ecx, 1C9B715Bh 0x00000023 popad 0x00000024 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A10444 second address: 4A10449 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A10449 second address: 4A10459 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov esi, edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A10459 second address: 4A1045D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A1045D second address: 4A1046D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A1046D second address: 4A10473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A10473 second address: 4A10477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A10477 second address: 4A1049B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78D9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F20B4C78D9Dh 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A1049B second address: 4A104B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 mov ebx, 752B8BCEh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A104B0 second address: 4A104B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A104B4 second address: 4A104C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49E07EC second address: 49E07F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49E07F0 second address: 49E07F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49E07F6 second address: 49E089C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 6B1F90A1h 0x00000008 jmp 00007F20B4C78D9Eh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 jmp 00007F20B4C78D9Eh 0x00000017 mov ax, F381h 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e jmp 00007F20B4C78D9Ch 0x00000023 mov eax, dword ptr [ebp+08h] 0x00000026 jmp 00007F20B4C78DA0h 0x0000002b and dword ptr [eax], 00000000h 0x0000002e jmp 00007F20B4C78DA0h 0x00000033 and dword ptr [eax+04h], 00000000h 0x00000037 jmp 00007F20B4C78DA0h 0x0000003c pop ebp 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 mov bl, 24h 0x00000042 pushfd 0x00000043 jmp 00007F20B4C78DA6h 0x00000048 or esi, 65AF2A88h 0x0000004e jmp 00007F20B4C78D9Bh 0x00000053 popfd 0x00000054 popad 0x00000055 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49E089C second address: 49E08B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20B51B85C4h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C087B second address: 49C091C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F20B4C78DA7h 0x00000009 and ecx, 6BCA0E4Eh 0x0000000f jmp 00007F20B4C78DA9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F20B4C78DA0h 0x0000001b add ax, 5AC8h 0x00000020 jmp 00007F20B4C78D9Bh 0x00000025 popfd 0x00000026 popad 0x00000027 pop edx 0x00000028 pop eax 0x00000029 push eax 0x0000002a jmp 00007F20B4C78DA9h 0x0000002f xchg eax, ebp 0x00000030 pushad 0x00000031 pushfd 0x00000032 jmp 00007F20B4C78D9Ch 0x00000037 or ecx, 542CE058h 0x0000003d jmp 00007F20B4C78D9Bh 0x00000042 popfd 0x00000043 push eax 0x00000044 push edx 0x00000045 mov si, 8BA5h 0x00000049 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49C091C second address: 49C0968 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F20B51B85C6h 0x00000013 jmp 00007F20B51B85C5h 0x00000018 popfd 0x00000019 call 00007F20B51B85C0h 0x0000001e pop ecx 0x0000001f popad 0x00000020 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49E03B4 second address: 49E03FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 movsx ebx, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F20B4C78DA4h 0x00000011 push eax 0x00000012 jmp 00007F20B4C78D9Bh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F20B4C78DA6h 0x0000001d mov ebp, esp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49E03FF second address: 49E0403 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49E0403 second address: 49E0409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49E064C second address: 49E065E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20B51B85BEh 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A00789 second address: 4A0078D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A0078D second address: 4A00791 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A00791 second address: 4A00797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A00797 second address: 4A007DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F20B51B85BEh 0x00000011 add si, 56A8h 0x00000016 jmp 00007F20B51B85BBh 0x0000001b popfd 0x0000001c mov esi, 5B98A99Fh 0x00000021 popad 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A007DE second address: 4A007E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A007E2 second address: 4A007E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A007E8 second address: 4A00821 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx eax, di 0x0000000e mov dx, 137Ch 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F20B4C78D9Eh 0x0000001c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A00821 second address: 4A00837 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A00837 second address: 4A0083B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A0083B second address: 4A00856 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A00856 second address: 4A0087F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dl, 45h 0x0000000d popad 0x0000000e xchg eax, ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A0087F second address: 4A00885 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A00885 second address: 4A0091F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F20B4C78DA2h 0x0000000b or ecx, 1A7E54E8h 0x00000011 jmp 00007F20B4C78D9Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov eax, dword ptr [774365FCh] 0x0000001f pushad 0x00000020 call 00007F20B4C78DA4h 0x00000025 pushfd 0x00000026 jmp 00007F20B4C78DA2h 0x0000002b jmp 00007F20B4C78DA5h 0x00000030 popfd 0x00000031 pop esi 0x00000032 pushfd 0x00000033 jmp 00007F20B4C78DA1h 0x00000038 jmp 00007F20B4C78D9Bh 0x0000003d popfd 0x0000003e popad 0x0000003f test eax, eax 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 mov cl, bl 0x00000046 pushad 0x00000047 popad 0x00000048 popad 0x00000049 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A0091F second address: 4A009F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 mov dx, ax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F2127B6B5F1h 0x00000012 pushad 0x00000013 call 00007F20B51B85BAh 0x00000018 movzx eax, bx 0x0000001b pop edx 0x0000001c jmp 00007F20B51B85BCh 0x00000021 popad 0x00000022 mov ecx, eax 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007F20B51B85BEh 0x0000002b sbb ecx, 60ED90C8h 0x00000031 jmp 00007F20B51B85BBh 0x00000036 popfd 0x00000037 pushfd 0x00000038 jmp 00007F20B51B85C8h 0x0000003d sbb eax, 67211328h 0x00000043 jmp 00007F20B51B85BBh 0x00000048 popfd 0x00000049 popad 0x0000004a xor eax, dword ptr [ebp+08h] 0x0000004d pushad 0x0000004e push ebx 0x0000004f push esi 0x00000050 pop ebx 0x00000051 pop ecx 0x00000052 mov edi, 3FD2D870h 0x00000057 popad 0x00000058 and ecx, 1Fh 0x0000005b jmp 00007F20B51B85BFh 0x00000060 ror eax, cl 0x00000062 push eax 0x00000063 push edx 0x00000064 pushad 0x00000065 push edx 0x00000066 pop eax 0x00000067 pushfd 0x00000068 jmp 00007F20B51B85C7h 0x0000006d jmp 00007F20B51B85C3h 0x00000072 popfd 0x00000073 popad 0x00000074 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A009F1 second address: 4A00A68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F20B4C78D9Fh 0x00000009 or ecx, 363B97DEh 0x0000000f jmp 00007F20B4C78DA9h 0x00000014 popfd 0x00000015 mov ecx, 42932AA7h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d leave 0x0000001e jmp 00007F20B4C78D9Ah 0x00000023 retn 0004h 0x00000026 nop 0x00000027 mov esi, eax 0x00000029 lea eax, dword ptr [ebp-08h] 0x0000002c xor esi, dword ptr [00224014h] 0x00000032 push eax 0x00000033 push eax 0x00000034 push eax 0x00000035 lea eax, dword ptr [ebp-10h] 0x00000038 push eax 0x00000039 call 00007F20B9498080h 0x0000003e push FFFFFFFEh 0x00000040 push eax 0x00000041 push edx 0x00000042 pushad 0x00000043 pushfd 0x00000044 jmp 00007F20B4C78D9Dh 0x00000049 and ax, F0C6h 0x0000004e jmp 00007F20B4C78DA1h 0x00000053 popfd 0x00000054 movzx eax, dx 0x00000057 popad 0x00000058 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A00A68 second address: 4A00A7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, ecx 0x00000005 mov dx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov ecx, 0D6327B9h 0x00000014 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A00A7C second address: 4A00A8A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 57058675h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b movzx esi, bx 0x0000000e rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A00A8A second address: 4A00ADA instructions: 0x00000000 rdtsc 0x00000002 mov bx, EEB0h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 ret 0x0000000a nop 0x0000000b push eax 0x0000000c call 00007F20B99D78F3h 0x00000011 mov edi, edi 0x00000013 jmp 00007F20B51B85BFh 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F20B51B85BBh 0x00000022 and cx, 4A0Eh 0x00000027 jmp 00007F20B51B85C9h 0x0000002c popfd 0x0000002d mov esi, 56950317h 0x00000032 popad 0x00000033 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A00ADA second address: 4A00ADF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 4A00ADF second address: 4A00B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F20B51B85C9h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F20B51B85C7h 0x00000014 sbb ax, ED7Eh 0x00000019 jmp 00007F20B51B85C9h 0x0000001e popfd 0x0000001f mov dx, si 0x00000022 popad 0x00000023 xchg eax, ebp 0x00000024 pushad 0x00000025 movzx eax, dx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B0019 second address: 49B001D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B001D second address: 49B003A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B003A second address: 49B0040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B0040 second address: 49B0044 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B0044 second address: 49B0077 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f call 00007F20B4C78DA5h 0x00000014 pop esi 0x00000015 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B0077 second address: 49B00F4 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F20B51B85C1h 0x00000008 sbb cx, 5416h 0x0000000d jmp 00007F20B51B85C1h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 movzx esi, di 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a jmp 00007F20B51B85C3h 0x0000001f mov ebp, esp 0x00000021 pushad 0x00000022 movzx esi, bx 0x00000025 pushfd 0x00000026 jmp 00007F20B51B85C1h 0x0000002b or si, 06D6h 0x00000030 jmp 00007F20B51B85C1h 0x00000035 popfd 0x00000036 popad 0x00000037 and esp, FFFFFFF8h 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e pop ebx 0x0000003f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B00F4 second address: 49B012D instructions: 0x00000000 rdtsc 0x00000002 mov al, B9h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov edi, 7C98A836h 0x0000000b popad 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F20B4C78D9Fh 0x00000015 call 00007F20B4C78DA8h 0x0000001a pop eax 0x0000001b popad 0x0000001c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B012D second address: 49B0176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F20B51B85BEh 0x00000009 add ax, 01B8h 0x0000000e jmp 00007F20B51B85BBh 0x00000013 popfd 0x00000014 mov esi, 512D55EFh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov dword ptr [esp], ecx 0x0000001f jmp 00007F20B51B85C2h 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 push edi 0x00000029 pop ecx 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B0176 second address: 49B0194 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B0194 second address: 49B0198 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B0198 second address: 49B01DC instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F20B4C78D9Dh 0x00000008 or al, 00000066h 0x0000000b jmp 00007F20B4C78DA1h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 movzx esi, dx 0x00000016 popad 0x00000017 xchg eax, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F20B4C78DA6h 0x0000001f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B01DC second address: 49B01E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B01E1 second address: 49B01E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B01E7 second address: 49B022C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebx, dword ptr [ebp+10h] 0x0000000a jmp 00007F20B51B85C3h 0x0000000f xchg eax, esi 0x00000010 jmp 00007F20B51B85C6h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F20B51B85BEh 0x0000001d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B022C second address: 49B0260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b mov bx, si 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007F20B4C78D9Eh 0x00000016 xor cl, 00000058h 0x00000019 jmp 00007F20B4C78D9Bh 0x0000001e popfd 0x0000001f rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B0260 second address: 49B02A7 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F20B51B85C8h 0x00000008 and ecx, 67F814B8h 0x0000000e jmp 00007F20B51B85BBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 mov esi, dword ptr [ebp+08h] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F20B51B85C0h 0x00000023 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B02A7 second address: 49B02AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B02AD second address: 49B02BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20B51B85BDh 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B02BE second address: 49B02C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B02C2 second address: 49B0390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007F20B51B85BAh 0x0000000e mov dword ptr [esp], edi 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F20B51B85BEh 0x00000018 sub ecx, 6B9DF0A8h 0x0000001e jmp 00007F20B51B85BBh 0x00000023 popfd 0x00000024 pushfd 0x00000025 jmp 00007F20B51B85C8h 0x0000002a or ecx, 6BBEE308h 0x00000030 jmp 00007F20B51B85BBh 0x00000035 popfd 0x00000036 popad 0x00000037 test esi, esi 0x00000039 jmp 00007F20B51B85C6h 0x0000003e je 00007F2127BB688Dh 0x00000044 push eax 0x00000045 push edx 0x00000046 pushad 0x00000047 pushfd 0x00000048 jmp 00007F20B51B85BDh 0x0000004d sbb eax, 2CDD9CD6h 0x00000053 jmp 00007F20B51B85C1h 0x00000058 popfd 0x00000059 pushfd 0x0000005a jmp 00007F20B51B85C0h 0x0000005f sbb si, C2F8h 0x00000064 jmp 00007F20B51B85BBh 0x00000069 popfd 0x0000006a popad 0x0000006b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B0390 second address: 49B03A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20B4C78DA4h 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B03A8 second address: 49B03E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f jmp 00007F20B51B85C7h 0x00000014 je 00007F2127BB6813h 0x0000001a pushad 0x0000001b mov cx, 3A1Bh 0x0000001f popad 0x00000020 mov edx, dword ptr [esi+44h] 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B03E2 second address: 49B0414 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F20B4C78DA5h 0x0000000a and cx, 4256h 0x0000000f jmp 00007F20B4C78DA1h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B0414 second address: 49B0446 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 or edx, dword ptr [ebp+0Ch] 0x0000000c jmp 00007F20B51B85BEh 0x00000011 test edx, 61000000h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B0446 second address: 49B044A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B044A second address: 49B044E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B044E second address: 49B0454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B0454 second address: 49B0463 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20B51B85BBh 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B0463 second address: 49B04C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F2127676FB3h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F20B4C78D9Eh 0x00000017 sbb esi, 66503138h 0x0000001d jmp 00007F20B4C78D9Bh 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F20B4C78DA8h 0x00000029 sub cx, AB98h 0x0000002e jmp 00007F20B4C78D9Bh 0x00000033 popfd 0x00000034 popad 0x00000035 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B04C0 second address: 49B0512 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85C9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d jmp 00007F20B51B85BEh 0x00000012 jne 00007F2127BB6768h 0x00000018 pushad 0x00000019 mov ax, 197Dh 0x0000001d call 00007F20B51B85BAh 0x00000022 mov bx, si 0x00000025 pop esi 0x00000026 popad 0x00000027 test bl, 00000007h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49B0512 second address: 49B0528 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A085F second address: 49A0865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0865 second address: 49A08B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78D9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F20B4C78D9Bh 0x00000011 xchg eax, ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F20B4C78D9Bh 0x0000001b sub ax, B10Eh 0x00000020 jmp 00007F20B4C78DA9h 0x00000025 popfd 0x00000026 mov cx, FE17h 0x0000002a popad 0x0000002b rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A08B7 second address: 49A0973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F20B51B85C3h 0x00000009 adc ecx, 0A29AF1Eh 0x0000000f jmp 00007F20B51B85C9h 0x00000014 popfd 0x00000015 push esi 0x00000016 pop ebx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c pushad 0x0000001d mov dl, cl 0x0000001f push edx 0x00000020 mov esi, 17CE19D7h 0x00000025 pop eax 0x00000026 popad 0x00000027 and esp, FFFFFFF8h 0x0000002a pushad 0x0000002b mov di, 965Ch 0x0000002f pushfd 0x00000030 jmp 00007F20B51B85C5h 0x00000035 jmp 00007F20B51B85BBh 0x0000003a popfd 0x0000003b popad 0x0000003c xchg eax, ebx 0x0000003d pushad 0x0000003e call 00007F20B51B85C4h 0x00000043 call 00007F20B51B85C2h 0x00000048 pop ecx 0x00000049 pop edx 0x0000004a mov edx, esi 0x0000004c popad 0x0000004d push eax 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F20B51B85C8h 0x00000055 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0973 second address: 49A0978 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0978 second address: 49A09C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 jmp 00007F20B51B85C8h 0x0000000d xchg eax, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F20B51B85BDh 0x00000017 sbb cx, 7C36h 0x0000001c jmp 00007F20B51B85C1h 0x00000021 popfd 0x00000022 mov ecx, 6FC9AC27h 0x00000027 popad 0x00000028 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A09C7 second address: 49A09CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A09CD second address: 49A09E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A09E9 second address: 49A09ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A09ED second address: 49A09F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A09F1 second address: 49A09F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A09F7 second address: 49A0A24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B51B85BDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007F20B51B85BEh 0x0000000f mov esi, dword ptr [ebp+08h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov di, 8100h 0x00000019 mov bh, ADh 0x0000001b popad 0x0000001c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0A24 second address: 49A0A49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F20B4C78DA2h 0x00000012 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0A49 second address: 49A0A5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F20B51B85BEh 0x00000009 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0A5B second address: 49A0A99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007F20B4C78DA7h 0x0000000f je 00007F212767E6A8h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F20B4C78DA5h 0x0000001c rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0A99 second address: 49A0ABF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 mov dx, 5C4Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c cmp dword ptr [esi+08h], DDEEDDEEh 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov eax, 677B3DBDh 0x0000001b jmp 00007F20B51B85BAh 0x00000020 popad 0x00000021 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0ABF second address: 49A0B1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78D9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, esi 0x0000000b pushad 0x0000000c jmp 00007F20B4C78DA4h 0x00000011 pushad 0x00000012 jmp 00007F20B4C78DA0h 0x00000017 mov ah, 10h 0x00000019 popad 0x0000001a popad 0x0000001b je 00007F212767E63Fh 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F20B4C78DA8h 0x00000028 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0B1A second address: 49A0B72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 5A34h 0x00000007 pushfd 0x00000008 jmp 00007F20B51B85BDh 0x0000000d and ax, 19F6h 0x00000012 jmp 00007F20B51B85C1h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b test byte ptr [77436968h], 00000002h 0x00000022 jmp 00007F20B51B85BEh 0x00000027 jne 00007F2127BBDE0Eh 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F20B51B85BAh 0x00000036 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0B72 second address: 49A0B78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0B78 second address: 49A0B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0B7E second address: 49A0B82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0B82 second address: 49A0BBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b jmp 00007F20B51B85C4h 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F20B51B85C7h 0x00000018 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0BBB second address: 49A0BE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78DA9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F20B4C78D9Ch 0x00000011 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0BE7 second address: 49A0BED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0BED second address: 49A0C16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F20B4C78D9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c jmp 00007F20B4C78D9Eh 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0C16 second address: 49A0C1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeRDTSC instruction interceptor: First address: 49A0C1A second address: 49A0C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                                Tries to evade debugger and weak emulator (self modifying code)
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSpecial instruction interceptor: First address: 22EB93 instructions caused by: Self-modifying code
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSpecial instruction interceptor: First address: 22EC1D instructions caused by: Self-modifying code
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSpecial instruction interceptor: First address: 3FBF86 instructions caused by: Self-modifying code
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSpecial instruction interceptor: First address: 22EB63 instructions caused by: Self-modifying code
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSpecial instruction interceptor: First address: 465D71 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSpecial instruction interceptor: First address: 46EB93 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSpecial instruction interceptor: First address: 46EC1D instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSpecial instruction interceptor: First address: 63BF86 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSpecial instruction interceptor: First address: 46EB63 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeSpecial instruction interceptor: First address: 6A5D71 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSpecial instruction interceptor: First address: 70B8C6 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSpecial instruction interceptor: First address: 70B824 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSpecial instruction interceptor: First address: 8A798D instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeSpecial instruction interceptor: First address: 934AEC instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSpecial instruction interceptor: First address: D65B03 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSpecial instruction interceptor: First address: D65A45 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSpecial instruction interceptor: First address: F00D74 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeSpecial instruction interceptor: First address: F7D74A instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeSpecial instruction interceptor: First address: D4B8C6 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeSpecial instruction interceptor: First address: D4B824 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeSpecial instruction interceptor: First address: EE798D instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeSpecial instruction interceptor: First address: F74AEC instructions caused by: Self-modifying code
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 565B03 instructions caused by: Self-modifying code
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 565A45 instructions caused by: Self-modifying code
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 700D74 instructions caused by: Self-modifying code
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 77D74A instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 6D5B03 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 6D5A45 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 870D74 instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 8ED74A instructions caused by: Self-modifying code
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory allocated: A50000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory allocated: 2480000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory allocated: 22A0000 memory reserve | memory write watch
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeCode function: 1_2_04A300CA rdtsc 1_2_04A300CA
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeThread delayed: delay time: 180000Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeThread delayed: delay time: 180000
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow / User API: threadDelayed 1335Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow / User API: threadDelayed 1336Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeWindow / User API: threadDelayed 1306Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeWindow / User API: threadDelayed 4220Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6136Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3550Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeWindow / User API: threadDelayed 1050
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeWindow / User API: threadDelayed 1076
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeWindow / User API: threadDelayed 1076
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000152001\jok.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewB[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\swiiii[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Startup[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\jok[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\file300un[1].exeJump to dropped file
                                Source: C:\Windows\System32\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (copy)Jump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000173001\Startup.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\cred64[1].dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\build_1GyXIDXRUC[1].exeJump to dropped file
                                Source: C:\Windows\System32\svchost.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmpJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\gold[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\clip64[1].dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000149001\gold.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\sarra[1].exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 9.4 %
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeAPI coverage: 3.6 %
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7064Thread sleep count: 64 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7064Thread sleep time: -128064s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7136Thread sleep count: 1335 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7136Thread sleep time: -2671335s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7128Thread sleep count: 1336 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 7128Thread sleep time: -2673336s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5988Thread sleep count: 169 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5988Thread sleep time: -5070000s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4016Thread sleep count: 1306 > 30Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 4016Thread sleep time: -2613306s >= -30000sJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe TID: 5648Thread sleep time: -720000s >= -30000sJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 7220Thread sleep count: 4220 > 30Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 7220Thread sleep time: -4220000s >= -30000sJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7616Thread sleep time: -11068046444225724s >= -30000sJump to behavior
                                Source: C:\Windows\System32\svchost.exe TID: 4776Thread sleep time: -30000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe TID: 7044Thread sleep count: 100 > 30
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8540Thread sleep count: 104 > 30
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe TID: 7472Thread sleep count: 71 > 30
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 5192Thread sleep count: 156 > 30
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 5192Thread sleep time: -312156s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 8784Thread sleep count: 163 > 30
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 8784Thread sleep time: -326163s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 7352Thread sleep count: 166 > 30
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 7352Thread sleep time: -332166s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 5724Thread sleep count: 134 > 30
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 5724Thread sleep time: -4020000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 6116Thread sleep time: -180000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 9196Thread sleep count: 169 > 30
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 9196Thread sleep time: -338169s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 7328Thread sleep count: 169 > 30
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 7328Thread sleep time: -338169s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe TID: 5724Thread sleep time: -30000s >= -30000s
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe TID: 7416Thread sleep count: 1076 > 30
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4924Thread sleep time: -150000s >= -30000s
                                Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
                                Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                                Source: C:\Windows\SysWOW64\rundll32.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeThread sleep count: Count: 1050 delay: -10
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeThread sleep count: Count: 1076 delay: -10
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeThread sleep count: Count: 1076 delay: -10
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Windows\System32\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C88BA1E FindFirstFileExW,8_2_6C88BA1E
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0090C2A2 FindFirstFileExW,13_2_0090C2A2
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_009468EE FindFirstFileW,FindClose,13_2_009468EE
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0094698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,13_2_0094698F
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0093D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,13_2_0093D076
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0093D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,13_2_0093D3A9
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00949642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,13_2_00949642
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0094979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,13_2_0094979D
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0093DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,13_2_0093DBBE
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00949B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,13_2_00949B2B
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00945C97 FindFirstFileW,FindNextFileW,FindClose,13_2_00945C97
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,13_2_008D42DE
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeThread delayed: delay time: 30000Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeThread delayed: delay time: 180000Jump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeThread delayed: delay time: 30000
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeThread delayed: delay time: 180000
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeThread delayed: delay time: 30000
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppDataJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\Videos\desktop.iniJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\userJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\Music\desktop.iniJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\OneDrive\desktop.iniJump to behavior
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\WorkspacesNavigationComponent\Network\*f{
                                Source: tA6etkt3gb.exe, 00000001.00000003.2243576972.0000000000ACD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696487552f
                                Source: a14d081f84.exe, 00000011.00000003.2559251683.00000000079E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bCSfMYSxkL4HWyoXAB1G5hDlqeMuUnwoUAFmVChtHrzZUujZ1qMtmQuV|
                                Source: a14d081f84.exe, 00000011.00000003.2559017135.00000000079EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696487hp
                                Source: a14d081f84.exe, 00000011.00000003.2559017135.00000000079EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ra Change Transaction PasswordVMware20,11696487552
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                                Source: a14d081f84.exe, 00000011.00000003.2559017135.00000000079EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .utiitsl.comVMware20,1169648755xt
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2505986332.000002B04F52B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2505986332.000002B04F5B2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000008.00000002.3588493265.0000000003504000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.3811894214.00000264BFA54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.3624106158.00000264BA42B000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2671676369.00000000013A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000002.2745944296.000000000125B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696487552
                                Source: fb1076712b.exe, 0000001B.00000003.2786559543.0000000001057000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696487552
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696487552o
                                Source: a14d081f84.exe, 00000011.00000003.2559017135.00000000079EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696
                                Source: MPGPH131.exe, 0000001E.00000003.2544666241.000000000126D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: fb1076712b.exe, 0000000D.00000003.2661241476.0000000003CBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}U
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*NA
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696487552
                                Source: MPGPH131.exe, 0000001E.00000002.2758476389.0000000007B3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}gWFPHwEw75kj1Cti8NNHWCN/hBFWYs0Il7ESnUW6zlWVYHOUR4ILN2FBlbBaCmetEhG9a/yUvEKRQ0cVGDyfVSqzNO45uuj8Yb8QL4Rcn9/WLlmZiQI9lOaHLyjiQzEWVgpiyK06CpNwwP+5ehla52OA37zstAxXsJqQqgn44fdAf/5yoIlkfPXh3n/xwT82wkp+eEBDf8Qt//l+x9NvH5Dfr2NVL7+/GKQyeB162MRgnMcglWeGJN300k43voRGl9/XfbMLO9A6doi6vAM8Bi1MUoZYwLanAaL2tYOdr6lHyxCUKCJ0yAquQ1A7NXDfWLVKqS6BMSYOXtaqO3UBwoMArdgT1KVLWKlqBZqP90BHNuSKJcCgYWO+cFpnG+6l3ZL6F6CS6PBPs6FwXUI97phbgPFK7fAvoYzZgQCjI9eeFEo2q3lPRrLp+2G0cn58lMl040DZ85XiPupOmfWw7SXQwbsaVNknL3UC6R0B4nFX8CXQvYvxydNQAwQfs6ysJx48GeB3ikF8IigQDlDDzYGPsLV1BW0BMsWswANhpkw4qKMyW6HUFxABUFS07BGj4CrcI+aWBbiiSNfQuf2Wv2kBAvAbGUvmLjjbkzEkROd5Q49uDXvB+hUReuHbWxbBy69jkBWspc9xM2U0HghRpFHdR4NNFlgtyJ2HlsfAt2KXLuFG3ve0mR41eS6x8hyIy4yicSyQGSKyRiocyKsDq26qEsCDdyCJfQZ8mnT6dxQjP85S5C/w2aPy6RLEooSKwZm3g1ezqeTZImrMAdjrqRuXqFWAVrBcqbejs786QYxS/fv9Lh89vouvL55dCiDTA02xkXhsf3J/c/GnM8hXIu0Dw/WsLPU8x7SDqpSDARVoNUvn9H3+5X//8Y9Wfg+/sfEvQCDDw+G/fYP2ZuCTUa8f93mYr9dluG0S7JYLLlWfLWqMr/iplsZokPLesIY7mTakriXQHGpmeKeGMIpW85h9uNElwDSQeUYLVHSDPS4NOSQTFIO7AwE7HJw3G06J1etSGtBW1KEHGYB1K7rHn3z/UTZfTd9WbjPkeA1oAFU5NVvezTXILVK1AVOtyDYbIH5Fpdpa2YmAi16wuOtdpbfsz0uQvdIxcSLuPZahebkl3A+33EjdgD5jWK1LIe3KST4OGZ682i/AJMbYfra+3BOer4fP38OAhq8+3CZMX+gQG/mjiyRAwmWHt69WFfbFu3NWjdv60BJYZVzDVEhAdDYyCZcgQ8+NqVLQFkNUPkvRF4T8/J0eiJonHNtmxu/iEYzBoNki6OPQeh6IT+asRwDZmVXli63YEMJPtnLcgxLZEPay10DLuNnroCPmGVg2S2RhXaVaGkeA6jHBV37kwCqMyn5LOGAiT/AO03B9iIK1gaXIN/zBi7cDX0IGZSSuCd5R0HJk3FTKR75qgF4aCfbAvUWDmNpPhue9vTz6vGsK9qTYOo+j8l77MIblG6UO+3mxgC4Vt93vt2CQC2utjMSV+qhm5+azx23CJ9C2AKut2lC2Fh8ECv/we3QQWQLXQqxsFTexRRYO1DK5Ok0f0LB9Bhcg3yU/ovGGtoH83FD2IM2KAuBDt+jFDWj7EvFdeF2plwMfe1jfy14BvsnwUmIK7/ZXhCBcX/Sj4CzEy2VMPgGcbUiV0aGlUdcQPYoj+f8ZifuR9PqZMDyETm+lSC6+oCNm7TcKFIq9FgovV60cNJpLT4+pAF9wM27R2O2EANoG4+Z9CXc58oRZ0XMbOHzZAWtfmeaHj19N0a
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696487552
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696487552j
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                                Source: a14d081f84.exe, 00000011.00000003.2559017135.00000000079EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nickname.utiitsl.comVMware20,1169648755xt
                                Source: a14d081f84.exe, 00000011.00000003.2559017135.00000000079EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ebrokers.co.inVMware20,11696487552d
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696487552t
                                Source: a14d081f84.exe, 00000011.00000003.2559017135.00000000079EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s.portal.azure.comVMware20,11696487552
                                Source: a14d081f84.exe, 00000011.00000003.2559017135.00000000079EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: billing_address_id.comVMware20,11696487hp
                                Source: MPGPH131.exe, 0000001E.00000003.2651686568.0000000007B09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}JPvl4rB\ZyWv8IxGQgj8Login Data For Account-journal4
                                Source: tA6etkt3gb.exe, tA6etkt3gb.exe, 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmp, explorha.exe, explorha.exe, 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmp, amert.exe, amert.exe, 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmp, a14d081f84.exe, 00000011.00000002.2670704585.0000000000EE4000.00000040.00000001.01000000.00000012.sdmp, chrosha.exe, 00000012.00000002.2529942617.0000000000ECA000.00000040.00000001.01000000.00000013.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                                Source: explorha.exe, 00000002.00000002.3649423302.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(#
                                Source: rundll32.exe, 00000005.00000002.2505986332.000002B04F5B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW<
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696487552x
                                Source: MPGPH131.exe, 0000001E.00000002.2745944296.000000000126F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: a14d081f84.exe, 00000011.00000003.2559017135.00000000079EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,116
                                Source: a14d081f84.exe, 00000011.00000003.2567220564.00000000079FA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}+ZNgq8bwK6rrO0V8G+plZGFzcFLc3wKNjuOFhRXd
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                                Source: netsh.exe, 00000006.00000002.2330540786.000001DA67F98000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000006.00000003.2330020987.000001DA67F95000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                                Source: fb1076712b.exe, 0000001B.00000003.2786559543.0000000001057000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: MPGPH131.exe, 0000001E.00000003.2651686568.0000000007B09000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\jhfjfclepacoldmjmkmdlmganfaalklb\CURRENT
                                Source: MPGPH131.exe, 0000001E.00000002.2745944296.000000000125B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&7F
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                                Source: tA6etkt3gb.exe, 00000001.00000003.2243576972.0000000000ACD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:N
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}User Data\lpilbniiabackdjcionkobglmddfbcjo\CURRENTv
                                Source: rundll32.exe, 00000008.00000002.3588493265.00000000034AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696487552s
                                Source: a14d081f84.exe, 00000011.00000003.2567508830.00000000079D9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B6CA89A8
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                                Source: tA6etkt3gb.exe, 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmp, explorha.exe, 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmp, amert.exe, 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmp, a14d081f84.exe, 00000011.00000002.2670704585.0000000000EE4000.00000040.00000001.01000000.00000012.sdmp, chrosha.exe, 00000012.00000002.2529942617.0000000000ECA000.00000040.00000001.01000000.00000013.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                                Source: MPGPH131.exe, 0000001E.00000003.2642902010.0000000007B4E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.000000000134E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                                Source: a14d081f84.exe, 00000011.00000003.2559017135.00000000079EB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,116c
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeSystem information queried: ModuleInformationJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeProcess information queried: ProcessInformationJump to behavior

                                Anti Debugging

                                barindex
                                Hides threads from debuggers
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeThread information set: HideFromDebuggerJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeThread information set: HideFromDebuggerJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeThread information set: HideFromDebugger
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebugger
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeThread information set: HideFromDebugger
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeThread information set: HideFromDebugger
                                Tries to detect sandboxes and other dynamic analysis tools (window names)
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeOpen window title or class name: regmonclass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeOpen window title or class name: gbdyllo
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeOpen window title or class name: procmon_window_class
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeOpen window title or class name: ollydbg
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeOpen window title or class name: filemonclass
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile opened: NTICE
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile opened: SICE
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeFile opened: SIWVID
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess queried: DebugPortJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess queried: DebugPort
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess queried: DebugPort
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeCode function: 1_2_04A300CA rdtsc 1_2_04A300CA
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0094EAA2 BlockInput,13_2_0094EAA2
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C886911 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_6C886911
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,13_2_008D42DE
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeCode function: 1_2_001F7BBB mov eax, dword ptr fs:[00000030h]1_2_001F7BBB
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeCode function: 1_2_001FB922 mov eax, dword ptr fs:[00000030h]1_2_001FB922
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_0043B922 mov eax, dword ptr fs:[00000030h]2_2_0043B922
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00437BBB mov eax, dword ptr fs:[00000030h]2_2_00437BBB
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C88B5B1 mov eax, dword ptr fs:[00000030h]8_2_6C88B5B1
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C889F7F mov eax, dword ptr fs:[00000030h]8_2_6C889F7F
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeCode function: 11_2_006D5E8B mov eax, dword ptr fs:[00000030h]11_2_006D5E8B
                                Source: C:\Users\user\AppData\Local\Temp\1000054001\amert.exeCode function: 11_2_006D9B02 mov eax, dword ptr fs:[00000030h]11_2_006D9B02
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008F4CE8 mov eax, dword ptr fs:[00000030h]13_2_008F4CE8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C88CF44 GetProcessHeap,8_2_6C88CF44
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C8861AD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_6C8861AD
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C886911 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_6C886911
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_6C889574 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_6C889574
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00902622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_00902622
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008F083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_008F083F
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008F09D5 SetUnhandledExceptionFilter,13_2_008F09D5
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008F0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_008F0C21
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory allocated: page read and write | page guard

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                Benign windows process drops PE files
                                Source: C:\Windows\System32\svchost.exeFile created: BIT826D.tmp.15.drJump to dropped file
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 193.233.132.56 80Jump to behavior
                                Source: C:\Windows\System32\rundll32.exeNetwork Connect: 193.233.132.167 80
                                Allocates memory in foreign processes
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
                                Injects a PE file into a foreign processes
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeMemory written: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe base: 400000 value starts with: 4D5A
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
                                Writes to foreign memory regions
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 439000
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43C000
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 447000
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D97008
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00931201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,13_2_00931201
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00912BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,13_2_00912BA5
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_0093B226 SendInput,keybd_event,13_2_0093B226
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_009522DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,13_2_009522DA
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeProcess created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, MainJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, MainJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe "C:\Users\user\AppData\Local\Temp\1000054001\amert.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe "C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe "C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeProcess created: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe "C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"Jump to behavior
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel OptimalJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1456 -ip 1456
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 2108
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 8912 -ip 8912
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8912 -s 2112
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 8740 -ip 8740
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8740 -s 2060
                                Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7480 -ip 7480
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\svchost.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe "C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe"
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\rundll32.exeProcess created: unknown unknown
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00930B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,13_2_00930B62
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00931663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,13_2_00931663
                                Source: fb1076712b.exe, 0000000D.00000000.2381257663.0000000000992000.00000002.00000001.01000000.0000000F.sdmp, fb1076712b.exe, 0000001B.00000000.2486401927.0000000000992000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                                Source: fb1076712b.exeBinary or memory string: Shell_TrayWnd
                                Source: tA6etkt3gb.exe, explorha.exeBinary or memory string: ?9Program Manager
                                Source: tA6etkt3gb.exe, 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmp, explorha.exe, 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: 9Program Manager
                                Source: amert.exe, amert.exe, 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmp, a14d081f84.exe, 00000011.00000002.2670704585.0000000000EE4000.00000040.00000001.01000000.00000012.sdmp, chrosha.exe, 00000012.00000002.2529942617.0000000000ECA000.00000040.00000001.01000000.00000013.sdmpBinary or memory string: rProgram Manager
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_0041F436 cpuid 2_2_0041F436
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeQueries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeQueries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000054001\amert.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeQueries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeQueries volume information: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe VolumeInformationJump to behavior
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\PIVFAGEAAV.docx VolumeInformationJump to behavior
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\PIVFAGEAAV.xlsx VolumeInformationJump to behavior
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\SQSJKEBWDT.xlsx VolumeInformationJump to behavior
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\SUAVTZKNFL.docx VolumeInformationJump to behavior
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformationJump to behavior
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformationJump to behavior
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformationJump to behavior
                                Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IO.Compression.FileSystem\v4.0_4.0.0.0__b77a5c561934e089\System.IO.Compression.FileSystem.dll VolumeInformationJump to behavior
                                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000149001\gold.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000149001\gold.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000173001\Startup.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000173001\Startup.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000181001\file300un.exe VolumeInformation
                                Source: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\PIVFAGEAAV.docx VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\PIVFAGEAAV.xlsx VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\Desktop\SQSJKEBWDT.xlsx VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation
                                Source: C:\Windows\System32\rundll32.exeQueries volume information: C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip VolumeInformation
                                Source: C:\Users\user\Desktop\tA6etkt3gb.exeCode function: 1_2_001DE27A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,1_2_001DE27A
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00406160 LookupAccountNameA,2_2_00406160
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_00443B37 GetTimeZoneInformation,2_2_00443B37
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_008D42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,13_2_008D42DE
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                                Lowering of HIPS / PFW / Operating System Security Settings

                                barindex
                                Uses netsh to modify the Windows network and firewall settings
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                                Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                                Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                                Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                                Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                                Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                                Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct

                                Stealing of Sensitive Information

                                barindex
                                Yara detected Amadeys Clipper DLL
                                Source: Yara matchFile source: 8.2.rundll32.exe.6c880000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\clip64[1].dll, type: DROPPED
                                Yara detected Amadeys stealer DLL
                                Source: Yara matchFile source: 8.2.rundll32.exe.6c880000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 43.2.chrosha.exe.ce0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 18.2.chrosha.exe.ce0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 11.2.amert.exe.6a0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 1.2.tA6etkt3gb.exe.1c0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 42.2.explorha.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 2.2.explorha.exe.400000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000012.00000003.2481957933.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000003.2763648199.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000003.2730670140.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2805100586.0000000000401000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002B.00000002.3604593284.0000000000CE1000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000012.00000002.2529830528.0000000000CE1000.00000040.00000001.01000000.00000013.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000B.00000003.2378841431.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000002.00000003.2278323852.00000000047D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000001.00000003.2225797084.0000000004800000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\clip64[1].dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewB[1].exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\cred64[1].dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dll, type: DROPPED
                                Yara detected PureLog Stealer
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmp, type: DROPPED
                                Yara detected RedLine Stealer
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\jok[1].exe, type: DROPPED
                                Yara detected RisePro Stealer
                                Source: Yara matchFile source: 0000001E.00000003.2651044580.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2747382681.0000000000411000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000003.2651935051.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000003.2651686568.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2763346512.0000000000581000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2443781465.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000002.2676484710.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2758476389.0000000007B23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2743444356.0000000000411000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2761794981.0000000007970000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2679394212.0000000000C11000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2567061812.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000003.2530726910.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000003.2511709455.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000003.2664446701.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2567508830.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000002.2676382409.00000000079B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2566711437.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2567220564.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2566883386.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000003.2577880849.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000003.2651321951.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000002.2670373091.0000000000C11000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: a14d081f84.exe PID: 1456, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 8912, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ai7r4g0iAr_FU6jbGEv2feP.zip, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qRHF0I3SLdbVi0YvmQyqu8Z.zip, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\2kpfKwlB_SMWQoOpeV00Wxp.zip, type: DROPPED
                                Yara detected zgRAT
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmp, type: DROPPED
                                Found many strings related to Crypto-Wallets (likely being stolen)
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\walletsLaB
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: MPGPH131.exe, 0000001E.00000003.2651044580.0000000007B09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\walletsB
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.jsons
                                Source: MPGPH131.exe, 0000001E.00000003.2651044580.0000000007B09000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\walletsB
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallett:
                                Source: powershell.exe, 00000009.00000002.2485705597.00007FFD33C60000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: sqlcolumnencryptionkeystoreprovider
                                Source: a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live*
                                Tries to harvest and steal WLAN passwords
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profiles
                                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\System32\netsh.exe netsh wlan show profilesJump to behavior
                                Tries to harvest and steal browser information (history, passwords, etc)
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\logins.json
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\formhistory.sqlite
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Chedot\User Data\Default\Login Data
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\places.sqlite
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Comodo\Dragon\User Data\Default\Login Data
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\signons.sqlite
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\logins.json
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Orbitum\User Data\Default\Login Data
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Vivaldi\User Data\Default\Login Data
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\key4.db
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Chromium\User Data\Default\Login Data
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\CocCoc\Browser\User Data\Default\Login Data
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\CentBrowser\User Data\Default\Login Data
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
                                Tries to harvest and steal ftp login credentials
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\sitemanager.xml
                                Tries to steal Crypto Currency Wallets
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Ledger Live
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Binance
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
                                Tries to steal Instant Messenger accounts or passwords
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xmlJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\.purple\accounts.xmlJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\System32\.purple\accounts.xmlJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\.purple\accounts.xmlJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xmlJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xmlJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files (x86)\vRsQBEcmEIGkqEpDGqTwSYiLxMotqbdLwfLzshkGwdviKpboeRnPCRmkQAFYAhFhHzxVmuNknx\.purple\accounts.xmlJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xmlJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SysWOW64\.purple\accounts.xmlJump to behavior
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Roaming\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\System32\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files (x86)\vRsQBEcmEIGkqEpDGqTwSYiLxMotqbdLwfLzshkGwdviKpboeRnPCRmkQAFYAhFhHzxVmuNknx\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Temp\09fd851a4f\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\SysWOW64\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Program Files\Google\Chrome\Application\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Temp\1000055001\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Temp\4d0ab15804\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Users\user\AppData\Local\Temp\1000147001\.purple\accounts.xml
                                Source: C:\Windows\System32\rundll32.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\.purple\accounts.xml
                                Tries to steal Mail credentials (via file / registry access)
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                                Source: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                                Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                                Source: fb1076712b.exeBinary or memory string: WIN_81
                                Source: fb1076712b.exe, 0000001B.00000003.2799870196.0000000001139000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_XP
                                Source: fb1076712b.exe, 0000001B.00000000.2486401927.0000000000992000.00000002.00000001.01000000.0000000F.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                                Source: fb1076712b.exeBinary or memory string: WIN_XPe
                                Source: fb1076712b.exeBinary or memory string: WIN_VISTA
                                Source: fb1076712b.exeBinary or memory string: WIN_7
                                Source: fb1076712b.exeBinary or memory string: WIN_8
                                Source: fb1076712b.exe, 0000000D.00000003.2652929850.00000000014A2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: WIN_XP!#PP=
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EIVQSAOTAQ
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXA
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDB
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\SUAVTZKNFL
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\GIGIYTFFYT
                                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeDirectory queried: C:\Users\user\Documents\PIVFAGEAAV
                                Source: Yara matchFile source: 0000001E.00000002.2745944296.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2750462233.0000000000F9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2567508830.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000002.2676382409.00000000079B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: a14d081f84.exe PID: 1456, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 8912, type: MEMORYSTR

                                Remote Access Functionality

                                barindex
                                Yara detected PureLog Stealer
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmp, type: DROPPED
                                Yara detected RedLine Stealer
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\jok[1].exe, type: DROPPED
                                Yara detected RisePro Stealer
                                Source: Yara matchFile source: 0000001E.00000003.2651044580.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2747382681.0000000000411000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000003.2651935051.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000003.2651686568.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000002.2763346512.0000000000581000.00000040.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2443781465.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000002.2676484710.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2758476389.0000000007B23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000002.2743444356.0000000000411000.00000040.00000001.01000000.00000014.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2761794981.0000000007970000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2679394212.0000000000C11000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2567061812.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000003.2530726910.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000003.2511709455.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000026.00000003.2664446701.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2567508830.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000002.2676382409.00000000079B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2566711437.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2567220564.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.2566883386.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000003.2577880849.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001E.00000003.2651321951.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000002.2670373091.0000000000C11000.00000040.00000001.01000000.00000012.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: a14d081f84.exe PID: 1456, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 8912, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ai7r4g0iAr_FU6jbGEv2feP.zip, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\qRHF0I3SLdbVi0YvmQyqu8Z.zip, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\2kpfKwlB_SMWQoOpeV00Wxp.zip, type: DROPPED
                                Yara detected zgRAT
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmp, type: DROPPED
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_004302D8 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,2_2_004302D8
                                Source: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exeCode function: 2_2_0042F5E1 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext,2_2_0042F5E1
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00951204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,13_2_00951204
                                Source: C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exeCode function: 13_2_00951806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,13_2_00951806

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity InformationAcquire Infrastructure2
                                Valid Accounts                                		221
                                Windows Management Instrumentation                                		1
                                DLL Side-Loading                                		1
                                Exploitation for Privilege Escalation                                		111
                                Disable or Modify Tools                                		2
                                OS Credential Dumping                                		2
                                System Time Discovery                                		Remote Services11
                                Archive Collected Data                                		1
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomainsDefault Accounts11
                                Native API                                		2
                                Valid Accounts                                		1
                                DLL Side-Loading                                		11
                                Deobfuscate/Decode Files or Information                                		31
                                Input Capture                                		1
                                Account Discovery                                		Remote Desktop Protocol41
                                Data from Local System                                		1
                                Encrypted Channel                                		Exfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts1
                                Exploitation for Client Execution                                		11
                                Scheduled Task/Job                                		2
                                Valid Accounts                                		4
                                Obfuscated Files or Information                                		1
                                Credentials in Registry                                		13
                                File and Directory Discovery                                		SMB/Windows Admin Shares1
                                Email Collection                                		1
                                Application Layer Protocol                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts2
                                Command and Scripting Interpreter                                		11
                                Registry Run Keys / Startup Folder                                		21
                                Access Token Manipulation                                		1
                                Install Root Certificate                                		1
                                Credentials In Files                                		3410
                                System Information Discovery                                		Distributed Component Object Model31
                                Input Capture                                		Protocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts11
                                Scheduled Task/Job                                		Network Logon Script412
                                Process Injection                                		22
                                Software Packing                                		LSA Secrets1191
                                Security Software Discovery                                		SSH3
                                Clipboard Data                                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts11
                                Scheduled Task/Job                                		1
                                Timestomp                                		Cached Domain Credentials691
                                Virtualization/Sandbox Evasion                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items11
                                Registry Run Keys / Startup Folder                                		1
                                DLL Side-Loading                                		DCSync3
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                                Masquerading                                		Proc Filesystem11
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt2
                                Valid Accounts                                		/etc/passwd and /etc/shadow1
                                System Owner/User Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron691
                                Virtualization/Sandbox Evasion                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd21
                                Access Token Manipulation                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task412
                                Process Injection                                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
                                Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers1
                                Rundll32                                		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428423 Sample: tA6etkt3gb.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 100 170 Found malware configuration 2->170 172 Malicious sample detected (through community Yara rule) 2->172 174 Antivirus detection for URL or domain 2->174 176 21 other signatures 2->176 10 tA6etkt3gb.exe 5 2->10         started        14 chrosha.exe 2->14         started        17 MPGPH131.exe 2->17         started        19 9 other processes 2->19 process3 dnsIp4 112 C:\Users\user\AppData\Local\...\explorha.exe, PE32 10->112 dropped 218 Detected unpacking (changes PE section rights) 10->218 220 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 10->220 222 Tries to evade debugger and weak emulator (self modifying code) 10->222 240 2 other signatures 10->240 21 explorha.exe 2 32 10->21         started        158 185.172.128.19 NADYMSS-ASRU Russian Federation 14->158 160 147.45.47.102 FREE-NET-ASFREEnetEU Russian Federation 14->160 162 148.135.72.74 ERI-ASUS Sweden 14->162 114 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 14->114 dropped 116 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 14->116 dropped 118 C:\Users\user\AppData\Local\...\file300un.exe, PE32+ 14->118 dropped 128 20 other malicious files 14->128 dropped 224 Hides threads from debuggers 14->224 242 2 other signatures 14->242 26 swiiiii.exe 14->26         started        28 rundll32.exe 14->28         started        120 C:\Users\user\...\ai7r4g0iAr_FU6jbGEv2feP.zip, Zip 17->120 dropped 226 Tries to steal Mail credentials (via file / registry access) 17->226 228 Machine Learning detection for dropped file 17->228 230 Found many strings related to Crypto-Wallets (likely being stolen) 17->230 30 WerFault.exe 17->30         started        164 169.150.236.99 SPIRITTEL-ASUS United States 19->164 166 23.44.104.130 AKAMAI-ASUS United States 19->166 168 127.0.0.1 unknown unknown 19->168 122 SystemMechanic_548...38868BD1.exe (copy), PE32 19->122 dropped 124 C:\Users\user\AppData\Local\...\BIT826D.tmp, PE32 19->124 dropped 126 C:\Users\user\...\2kpfKwlB_SMWQoOpeV00Wxp.zip, Zip 19->126 dropped 232 Benign windows process drops PE files 19->232 234 Binary is likely a compiled AutoIt script file 19->234 236 Tries to detect sandboxes and other dynamic analysis tools (window names) 19->236 238 Tries to harvest and steal browser information (history, passwords, etc) 19->238 32 chrome.exe 19->32         started        34 chrome.exe 19->34         started        36 WerFault.exe 19->36         started        38 4 other processes 19->38 file5 signatures6 process7 dnsIp8 146 193.233.132.167 FREE-NET-ASFREEnetEU Russian Federation 21->146 148 193.233.132.56 FREE-NET-ASFREEnetEU Russian Federation 21->148 96 C:\Users\user\AppData\Roaming\...\cred64.dll, PE32+ 21->96 dropped 98 C:\Users\user\AppData\Roaming\...\clip64.dll, PE32 21->98 dropped 100 C:\Users\user\AppData\...\a14d081f84.exe, PE32 21->100 dropped 102 8 other malicious files 21->102 dropped 178 Multi AV Scanner detection for dropped file 21->178 180 Detected unpacking (changes PE section rights) 21->180 182 Creates multiple autostart registry keys 21->182 190 4 other signatures 21->190 40 a14d081f84.exe 21->40         started        45 amert.exe 21->45         started        47 rundll32.exe 21->47         started        59 3 other processes 21->59 184 Writes to foreign memory regions 26->184 186 Allocates memory in foreign processes 26->186 188 Injects a PE file into a foreign processes 26->188 49 RegAsm.exe 26->49         started        51 conhost.exe 26->51         started        53 rundll32.exe 28->53         started        55 chrome.exe 32->55         started        57 chrome.exe 34->57         started        file9 signatures10 process11 dnsIp12 150 34.117.186.192 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 40->150 152 147.45.47.93 FREE-NET-ASFREEnetEU Russian Federation 40->152 154 104.26.4.15 CLOUDFLARENETUS United States 40->154 104 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 40->104 dropped 106 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 40->106 dropped 108 C:\Users\user\...\qRHF0I3SLdbVi0YvmQyqu8Z.zip, Zip 40->108 dropped 192 Detected unpacking (changes PE section rights) 40->192 194 Tries to steal Mail credentials (via file / registry access) 40->194 196 Found many strings related to Crypto-Wallets (likely being stolen) 40->196 212 3 other signatures 40->212 61 schtasks.exe 40->61         started        64 schtasks.exe 40->64         started        66 WerFault.exe 40->66         started        110 C:\Users\user\AppData\Local\...\chrosha.exe, PE32 45->110 dropped 214 4 other signatures 45->214 69 rundll32.exe 21 47->69         started        156 172.67.181.34 CLOUDFLARENETUS United States 49->156 198 Query firmware table information (likely to detect VMs) 49->198 200 Installs new ROOT certificates 49->200 216 2 other signatures 49->216 202 System process connects to network (likely due to code injection or exploit) 53->202 204 Tries to steal Instant Messenger accounts or passwords 53->204 206 Tries to harvest and steal ftp login credentials 53->206 208 Binary is likely a compiled AutoIt script file 59->208 210 Found API chain indicative of sandbox detection 59->210 71 chrome.exe 59->71         started        file13 signatures14 process15 dnsIp16 244 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 61->244 246 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 61->246 73 conhost.exe 61->73         started        75 conhost.exe 64->75         started        132 20.42.73.29 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 66->132 248 Tries to steal Instant Messenger accounts or passwords 69->248 250 Uses netsh to modify the Windows network and firewall settings 69->250 252 Tries to harvest and steal WLAN passwords 69->252 77 powershell.exe 26 69->77         started        81 netsh.exe 2 69->81         started        134 192.168.2.6 unknown unknown 71->134 136 239.255.255.250 unknown Reserved 71->136 83 chrome.exe 71->83         started        86 chrome.exe 71->86         started        88 chrome.exe 71->88         started        90 2 other processes 71->90 signatures17 process18 dnsIp19 130 C:\Users\user\...\246122658369_Desktop.zip, Zip 77->130 dropped 254 Found many strings related to Crypto-Wallets (likely being stolen) 77->254 256 Loading BitLocker PowerShell Module 77->256 92 conhost.exe 77->92         started        94 conhost.exe 81->94         started        138 142.250.105.105 GOOGLEUS United States 83->138 140 142.250.105.94 GOOGLEUS United States 83->140 144 9 other IPs or domains 83->144 142 142.251.15.100 GOOGLEUS United States 86->142 file20 signatures21 process22

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                tA6etkt3gb.exe39%ReversingLabsWin32.Trojan.Generic
                                tA6etkt3gb.exe100%AviraTR/Crypt.TPM.Gen
                                tA6etkt3gb.exe100%Joe Sandbox ML

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewB[1].exe100%AviraTR/Redcap.pernp
                                C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewB[1].exe100%Joe Sandbox ML
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewB[1].exe76%ReversingLabsWin32.Trojan.Malgent
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\cred64[1].dll71%ReversingLabsWin64.Trojan.Amadey
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\swiiii[1].exe92%ReversingLabsByteCode-MSIL.Trojan.LummaStealer
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Startup[1].exe62%ReversingLabsByteCode-MSIL.Trojan.Amadey
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe96%ReversingLabsByteCode-MSIL.Trojan.PureLogStealer
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll96%ReversingLabsWin32.Trojan.Amadey
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\file300un[1].exe46%ReversingLabsByteCode-MSIL.Trojan.Amadey
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\gold[1].exe34%ReversingLabsWin32.Trojan.Generic
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\jok[1].exe74%ReversingLabsByteCode-MSIL.Trojan.RedLine
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\amadka[1].exe39%ReversingLabsWin32.Trojan.Generic
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\build_1GyXIDXRUC[1].exe66%ReversingLabsWin32.Trojan.Znyonm
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\clip64[1].dll82%ReversingLabsWin32.Trojan.Amadey
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dll92%ReversingLabsWin64.Trojan.Amadey
                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\swiiiii[1].exe92%ReversingLabsByteCode-MSIL.Trojan.LummaStealer
                                C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe39%ReversingLabsWin32.Trojan.Generic
                                C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe92%ReversingLabsByteCode-MSIL.Trojan.LummaStealer
                                C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe96%ReversingLabsByteCode-MSIL.Trojan.PureLogStealer
                                C:\Users\user\AppData\Local\Temp\1000149001\gold.exe34%ReversingLabsWin32.Trojan.Generic
                                C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe76%ReversingLabsWin32.Trojan.Malgent
                                C:\Users\user\AppData\Local\Temp\1000152001\jok.exe74%ReversingLabsByteCode-MSIL.Trojan.RedLine
                                C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exe92%ReversingLabsByteCode-MSIL.Trojan.LummaStealer
                                C:\Users\user\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exe66%ReversingLabsWin32.Trojan.Znyonm
                                C:\Users\user\AppData\Local\Temp\1000173001\Startup.exe62%ReversingLabsByteCode-MSIL.Trojan.Amadey
                                C:\Users\user\AppData\Local\Temp\1000181001\file300un.exe46%ReversingLabsByteCode-MSIL.Trojan.Amadey
                                C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmp12%ReversingLabs
                                C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (copy)12%ReversingLabs
                                C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll82%ReversingLabsWin32.Trojan.Amadey
                                C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll71%ReversingLabsWin64.Trojan.Amadey
                                C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll96%ReversingLabsWin32.Trojan.Amadey
                                C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll92%ReversingLabsWin64.Trojan.Amadey

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                http://pesterbdd.com/images/Pester.png100%URL Reputationmalware
                                https://contoso.com/Icon0%URL Reputationsafe
                                https://contoso.com/License0%URL Reputationsafe
                                https://contoso.com/0%URL Reputationsafe
                                http://193.233.132.167/cost/lenin.exe100%URL Reputationmalware

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://duckduckgo.com/chrome_newtaba14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://duckduckgo.com/ac/?q=a14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://193.233.132.167/cost/sarra.exe6a&Iexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://db-ip.com/a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://193.233.132.56/ryrundll32.exe, 00000005.00000002.2506410842.000002B051590000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://t.me/risepro_bot.52a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://193.233.132.167/cost/go.exea14d081f84.exe, 00000011.00000002.2672552114.000000000143D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000002.2745944296.00000000012E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              http://193.233.132.56/Pneh2sXQk0/index.php?wal=1rundll32.exe, 00000005.00000002.2506410842.000002B051590000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2505986332.000002B04F5B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://193.233.132.167/cost/lenin.exea.aca14d081f84.exe, 00000011.00000003.2567470596.000000000143A000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2672552114.000000000143D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://db-ip.com/demo/home.php?s=81.181.57.52Ta14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://nuget.org/nuget.exepowershell.exe, 00000009.00000002.2416896058.000001DC018D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2445357143.000001DC10075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dllexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://t.me/risepro_botisepro_bota14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://193.233.132.56/pDatarundll32.exe, 00000005.00000002.2505986332.000002B04F5B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://ipinfo.io/widget/demo/81.181.57.522=MPGPH131.exe, 0000001E.00000002.2745944296.000000000125B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.winimage.com/zLibDllDpa14d081f84.exe, 00000011.00000002.2670373091.0000000000C11000.00000040.00000001.01000000.00000012.sdmpfalse
                                                                		high
                                                                http://193.233.132.56/taexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000009.00000002.2416896058.000001DC00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://193.233.132.56/explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2505986332.000002B04F5B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://t.96vMPGPH131.exe, 0000001E.00000002.2745944296.00000000012E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		low
                                                                        https://aka.ms/winsvr-2022-pshelppowershell.exe, 00000009.00000002.2416896058.000001DC00228000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2416896058.000001DC014AE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://193.233.132.56/Pneh2sXQk0/index.phpdedNexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://193.233.132.167/mine/amert.exeVexplorha.exe, 00000002.00000002.3649423302.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://193.233.132.56/Pneh2sXQk0/index.phpf182f2explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000009.00000002.2416896058.000001DC00228000.00000004.00000800.00020000.00000000.sdmptrue
                                                                                • URL Reputation: malware
                                                                                		unknown
                                                                                http://schemas.xmlsoap.org/soap/encoding/powershell.exe, 00000009.00000002.2416896058.000001DC00228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000009.00000002.2416896058.000001DC00228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://193.233.132.56/015f815db2cd0aea5fb37b3eefba1586aa0e17eun1explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://contoso.com/Iconpowershell.exe, 00000009.00000002.2445357143.000001DC10075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      https://ipinfo.io:443/widget/demo/81.181.57.524a14d081f84.exe, 00000011.00000002.2671676369.00000000013DB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dlla14d081f84.exe, 00000011.00000003.2443781465.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2670373091.0000000000C11000.00000040.00000001.01000000.00000012.sdmp, MPGPH131.exe, 0000001E.00000002.2743444356.0000000000411000.00000040.00000001.01000000.00000014.sdmpfalse
                                                                                          		high
                                                                                          http://193.233.132.56/015f815db2cd0aea5fb37b3eefba1586aa0e17e76#da#explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=a14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://crl.ver)svchost.exe, 0000000F.00000002.3791153756.00000264BFA00000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		low
                                                                                                https://ipinfo.io/widget/demo/81.181.57.524a14d081f84.exe, 00000011.00000002.2671676369.00000000013A7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://t.me/RiseProSUPPORTa14d081f84.exe, 00000011.00000002.2676382409.00000000079B7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2567220564.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2651044580.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2651935051.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2651686568.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000002.2758476389.0000000007B23000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.youtube.com/account)Sfb1076712b.exe, 0000000D.00000003.2663803199.0000000003C90000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2654819557.0000000003C89000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2654723196.0000000003C80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://193.233.132.56/015f815db2cd0aea5fb37b3eefba1586aa0e17e76adaaTexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://193.233.132.56/33.132.56/;Sexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exe9C:svchost.exe, 0000000F.00000002.3595493275.0000009634EFB000.00000004.00000010.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.3664641531.00000264BAD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3281658681.00000264BF932000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.3685155227.00000264BB240000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000F.00000003.3366977063.00000264BF935000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://www.ecosia.org/newtab/a14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              http://193.233.132.167/cost/sarra.exe4Hnexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://github.com/Pester/Pesterpowershell.exe, 00000009.00000002.2416896058.000001DC00228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.youtube.com/accountfb1076712b.exe, 0000000D.00000003.2660431825.0000000003CCE000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2554280863.00000000079E6000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2545113322.00000000079E0000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2815068147.00000000039F5000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2757492839.00000000039E7000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2813835658.0000000003A73000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2758477744.00000000039EE000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000002.2822140000.0000000003A73000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2628017103.0000000007B48000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://ipinfo.io/Ea14d081f84.exe, 00000011.00000002.2671676369.00000000013BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://193.233.132.167/mine/amert.exehpexplorha.exe, 00000002.00000002.3649423302.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        https://g.live.com/odclientsettings/Prod1C:svchost.exe, 0000000F.00000003.2405216432.00000264BF98E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://193.233.132.56/33.132.56/Dataexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            https://accounts.google.ca14d081f84.exe, 00000011.00000003.2545113322.00000000079E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              https://ipinfo.io/a14d081f84.exe, 00000011.00000002.2671676369.00000000013BE000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2671676369.00000000013E4000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2671676369.000000000137E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://193.233.132.56/33.132.56/aexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://193.233.132.167/cost/random.exeexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    http://schemas.xmlsoap.org/wsdl/powershell.exe, 00000009.00000002.2416896058.000001DC00228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exesvchost.exe, 0000000F.00000002.3811894214.00000264BFA54000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.3664641531.00000264BAD02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000F.00000002.3791153756.00000264BFA1F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://193.233.132.167/cost/random.exeyI)explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://193.233.132.56/Pneh2sXQk0/index.php00054001explorha.exe, 00000002.00000002.3649423302.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://193.233.132.56/Pneh2sXQk0/index.phplexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              http://193.233.132.167/cost/sarra.exeexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                http://193.233.132.56/Pneh2sXQk0/Plugins/cred64.dllexplorha.exe, 00000002.00000002.3649423302.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  http://193.233.132.167/cost/sarra.exe-Iuexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    http://193.233.132.56/Pneh2sXQk0/index.phptexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      http://www.winimage.com/zLibDllDpRTpRa14d081f84.exe, 00000011.00000003.2443781465.0000000004E90000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://193.233.132.167/mine/random.exeexplorha.exe, 00000002.00000002.3649423302.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://193.233.132.167/cost/lenin.exesera14d081f84.exe, 00000011.00000003.2567470596.000000000143A000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2672552114.000000000143D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://193.233.132.56/Pneh2sXQk0/index.phpiexplorha.exe, 00000002.00000002.3649423302.0000000000BA2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              https://download.iolo.net/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exeeeCsvchost.exe, 0000000F.00000002.3636053512.00000264BA4A2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://147.45.47.102:57893/hera/amadka.exea14d081f84.exe, 00000011.00000003.2567470596.000000000143A000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2672552114.000000000143D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000002.2745944296.00000000012E6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://contoso.com/Licensepowershell.exe, 00000009.00000002.2445357143.000001DC10075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://www.youtube.com/accountefb1076712b.exe, 0000000D.00000003.2662711419.0000000003CE1000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2661944984.0000000003CCF000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000002.2668946102.0000000003CE8000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2660431825.0000000003CCE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=a14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      		high
                                                                                                                                                                      http://193.233.132.56/Pneh2sXQk0/Plugins/clip64.dllA8explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://193.233.132.167/cost/lenin.exe.exe68.0a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://193.233.132.56/Pneh2sXQk0/index.phpXexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            http://193.233.132.56/015f815db2cd0aea5fb37b3eefba1586aa0e156001explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              http://193.233.132.56/Pneh2sXQk0/index.phprundll32.exe, 00000008.00000002.3588493265.00000000034F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                https://www.youtube.com/accountffb1076712b.exe, 0000001B.00000002.2819083114.000000000109C000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2812698863.000000000109B000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2787438184.000000000105C000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000001B.00000003.2786559543.0000000001057000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  http://193.233.132.56/Pneh2sXQk0/index.phpTrundll32.exe, 00000008.00000002.3588493265.00000000034F0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    http://www.winimage.com/zLibDllDpSTpSMPGPH131.exe, 0000001E.00000002.2743444356.0000000000411000.00000040.00000001.01000000.00000014.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      http://193.233.132.167/mine/amert.exe1explorha.exe, 00000002.00000002.3649423302.0000000000BD0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://193.233.132.56/Pneh2sXQk0/index.php51a4fexplorha.exe, 00000002.00000002.3649423302.0000000000BF0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          https://www.youtube.com/accountnfb1076712b.exe, 0000000D.00000002.2668846034.0000000003CCB000.00000004.00000020.00020000.00000000.sdmp, fb1076712b.exe, 0000000D.00000003.2661241476.0000000003CBA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            http://193.233.132.56/33.132.56/Picturesexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              https://t.me/risepro_bota=MPGPH131.exe, 0000001E.00000002.2745944296.000000000125B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://download.iolo.net:443/sm/24/11A12794-499E-4FA0-A281-A9A9AA8B2685/24.3.0.57/SystemMechanic.exsvchost.exe, 0000000F.00000002.3822509874.00000264BFA84000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searcha14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    http://193.233.132.56/Pneh2sXQk0/index.phpDexplorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      https://contoso.com/powershell.exe, 00000009.00000002.2445357143.000001DC10075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      http://193.233.132.56/Pneh2sXQk0/index.phpded3explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        http://193.233.132.167/cost/sarra.exe86explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		unknown
                                                                                                                                                                                                          http://193.233.132.56/33.132.56/214e40adc2dc8e2a9e730e8b2e8b2446fe1e928766ada#explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                            http://193.233.132.56/Pneh2sXQk0/index.php?wal=1mrundll32.exe, 00000005.00000002.2506410842.000002B051590000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              http://193.233.132.167/cost/lenin.exea14d081f84.exe, 00000011.00000003.2567470596.000000000143A000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000002.2672552114.000000000143D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000002.2745944296.00000000012E6000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                                                                                                                                              • URL Reputation: malware
                                                                                                                                                                                                              		unknown
                                                                                                                                                                                                              http://193.233.132.56/Pneh2sXQk0/index.php9rundll32.exe, 00000005.00000002.2505986332.000002B04F58B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		unknown
                                                                                                                                                                                                                http://193.233.132.56/Pneh2sXQk0/index.php8explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                                  http://193.233.132.56/Pneh2sXQk0/index.php4explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                                    http://193.233.132.56/i2explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                                      https://db-ip.com:443/demo/home.php?s=81.181.57.52a14d081f84.exe, 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        http://nuget.org/NuGet.exepowershell.exe, 00000009.00000002.2416896058.000001DC018D6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.2445357143.000001DC10075000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          http://193.233.132.167/cost/sarra.exe.168.2.6explorha.exe, 00000002.00000002.3649423302.0000000000C0D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		unknown
                                                                                                                                                                                                                            https://www.google.com/images/branding/product/ico/googleg_lodp.icoa14d081f84.exe, 00000011.00000003.2543962831.00000000079F7000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2546001688.0000000007A20000.00000004.00000020.00020000.00000000.sdmp, a14d081f84.exe, 00000011.00000003.2555455462.0000000007A21000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2631836314.0000000007B81000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000001E.00000003.2611464919.0000000007B81000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high

                                                                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                                                                              Public IPs

                                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                              172.253.124.101
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		15169GOOGLEUSfalse
                                                                                                                                                                                                                              34.117.186.192
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                                                                                                                              172.67.181.34
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              193.233.132.56
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		2895FREE-NET-ASFREEnetEUtrue
                                                                                                                                                                                                                              173.194.219.93
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		15169GOOGLEUSfalse
                                                                                                                                                                                                                              142.251.15.100
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		15169GOOGLEUSfalse
                                                                                                                                                                                                                              147.45.47.93
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		2895FREE-NET-ASFREEnetEUfalse
                                                                                                                                                                                                                              20.42.73.29
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                              142.250.9.94
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		15169GOOGLEUSfalse
                                                                                                                                                                                                                              148.135.72.74
                                                                                                                                                                                                                              		unknownSweden
                                                                                                                                                                                                                              		158ERI-ASUSfalse
                                                                                                                                                                                                                              147.45.47.102
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		2895FREE-NET-ASFREEnetEUfalse
                                                                                                                                                                                                                              1.1.1.1
                                                                                                                                                                                                                              		unknownAustralia
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              142.250.105.94
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		15169GOOGLEUSfalse
                                                                                                                                                                                                                              74.125.136.95
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		15169GOOGLEUSfalse
                                                                                                                                                                                                                              142.250.9.139
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		15169GOOGLEUSfalse
                                                                                                                                                                                                                              104.26.4.15
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                              142.250.105.105
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		15169GOOGLEUSfalse
                                                                                                                                                                                                                              193.233.132.167
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		2895FREE-NET-ASFREEnetEUtrue
                                                                                                                                                                                                                              173.194.219.84
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		15169GOOGLEUSfalse
                                                                                                                                                                                                                              172.253.124.95
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		15169GOOGLEUSfalse
                                                                                                                                                                                                                              185.172.128.19
                                                                                                                                                                                                                              		unknownRussian Federation
                                                                                                                                                                                                                              		50916NADYMSS-ASRUfalse
                                                                                                                                                                                                                              169.150.236.99
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		2711SPIRITTEL-ASUSfalse
                                                                                                                                                                                                                              23.44.104.130
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		16625AKAMAI-ASUSfalse
                                                                                                                                                                                                                              239.255.255.250
                                                                                                                                                                                                                              		unknownReserved
                                                                                                                                                                                                                              		unknownunknownfalse
                                                                                                                                                                                                                              64.233.185.94
                                                                                                                                                                                                                              		unknownUnited States
                                                                                                                                                                                                                              		15169GOOGLEUSfalse

                                                                                                                                                                                                                              Private

                                                                                                                                                                                                                              IP
                                                                                                                                                                                                                              192.168.2.6
                                                                                                                                                                                                                              127.0.0.1

                                                                                                                                                                                                                              General Information

                                                                                                                                                                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                                              Analysis ID:1428423
                                                                                                                                                                                                                              Start date and time:2024-04-18 22:52:10 +02:00
                                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                              Overall analysis duration:0h 13m 47s
                                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                              Number of analysed new started processes analysed:62
                                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                                              Sample name:tA6etkt3gb.exe
                                                                                                                                                                                                                              renamed because original name is a hash value
                                                                                                                                                                                                                              Original Sample Name:a599e020f718cf8c8f2c4cbc4dd53a20.exe
                                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                                              Classification:mal100.phis.troj.spyw.evad.winEXE@143/189@0/27
                                                                                                                                                                                                                              EGA Information:
                                                                                                                                                                                                                              • Successful, ratio: 83.3%
                                                                                                                                                                                                                              HCA Information:Failed
                                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                                                                                                              Warnings

                                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                                                                                                                                                                                              • Execution Graph export aborted for target powershell.exe, PID 7264 because it is empty
                                                                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                              • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                              • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                              • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                              • VT rate limit hit for: tA6etkt3gb.exe

                                                                                                                                                                                                                              Simulations

                                                                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                                                              22:53:14Task SchedulerRun new task: explorha path: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                              22:53:19API Interceptor50903x Sleep call for process: explorha.exe modified
                                                                                                                                                                                                                              22:53:27API Interceptor32x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                                              22:53:30API Interceptor2x Sleep call for process: svchost.exe modified
                                                                                                                                                                                                                              22:53:30AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run fb1076712b.exe C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe
                                                                                                                                                                                                                              22:53:35Task SchedulerRun new task: chrosha path: C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                              22:53:39AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run a14d081f84.exe C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                              22:53:40Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                              22:53:40Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                              22:53:47AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                                                              22:53:55API Interceptor3x Sleep call for process: WerFault.exe modified
                                                                                                                                                                                                                              22:53:56AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run fb1076712b.exe C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe
                                                                                                                                                                                                                              22:53:59API Interceptor4193x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                              22:54:04API Interceptor1820x Sleep call for process: chrosha.exe modified
                                                                                                                                                                                                                              22:54:04AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run a14d081f84.exe C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                              22:54:09API Interceptor6x Sleep call for process: RegAsm.exe modified
                                                                                                                                                                                                                              22:54:17Task SchedulerRun new task: NewB.exe path: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe
                                                                                                                                                                                                                              22:54:23AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                                                              22:54:44AutostartRun: C:\Users\user\AppData\Local\Temp\1000150001\\13vEhP2s6bUwVCA6nXEFwBV3.bat
                                                                                                                                                                                                                              22:54:56AutostartRun: C:\Users\user\AppData\Local\Temp\1000150001\\2nXAMiEBtpHzeWDsUcwEDMfI.bat
                                                                                                                                                                                                                              22:55:06AutostartRun: C:\Users\user\AppData\Local\Temp\1000150001\\8NXvxwlFrmLAKRwZmxfpM2Us.bat
                                                                                                                                                                                                                              22:55:07Task SchedulerRun new task: GS_Debug path: C:\Users\user\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
                                                                                                                                                                                                                              22:55:07Task SchedulerRun new task: HTE_demo_beta path: C:\Users\user\AppData\Roaming\Zqicom_beta\UniversalInstaller.exe
                                                                                                                                                                                                                              22:55:26Task SchedulerRun new task: MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c HR path: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe
                                                                                                                                                                                                                              22:55:26Task SchedulerRun new task: MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c LG path: C:\ProgramData\MSIUpdaterV202_3e3a2bee5ace9e061f31a101c1269b0c\MSIUpdaterV202.exe
                                                                                                                                                                                                                              22:55:27AutostartRun: C:\Users\user\AppData\Local\Temp\1000150001\\bMnsQXQUiNSAjSPyXVbxw0Z1.bat
                                                                                                                                                                                                                              22:55:34Task SchedulerRun new task: wvvrjdjvkri path: powershell.exe s>-ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARQByAGEAcwBcAFQAeQBwAGUASQBkAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAZQBuAGcAaQBuAGUAZQByAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAGUAbgBnAGkAbgBlAGUAcgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwARQByAGEAcwBcAFQAeQBwAGUASQBkAC4AZQB4AGUA
                                                                                                                                                                                                                              22:55:39Task SchedulerRun new task: Opera scheduled assistant Autoupdate 1713473735 path: C:\Users\user\AppData\Local\Programs\Opera\autoupdate\opera_autoupdate.exe s>--scheduledtask --productiscomponent --bypasslauncher --installdir="C:\Users\user\AppData\Local\Programs\Opera\assistant" --producttype=assistant $(Arg0)
                                                                                                                                                                                                                              22:55:39AutostartRun: C:\Users\user\AppData\Local\Temp\1000150001\\fEtRygZCjF80Cev2W4PHJwqO.bat
                                                                                                                                                                                                                              22:55:45Task SchedulerRun new task: Opera scheduled Autoupdate 1713473729 path: C:\Users\user\AppData\Local\Programs\Opera\autoupdate\opera_autoupdate.exe s>--scheduledtask --bypasslauncher $(Arg0)
                                                                                                                                                                                                                              22:55:46Task SchedulerRun new task: TypeId path: C:\Users\user\AppData\Roaming\Eras\TypeId.exe

                                                                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                                                                              IPs

                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                              34.117.186.192SecuriteInfo.com.Win32.Evo-gen.24318.16217.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • ipinfo.io/json
                                                                                                                                                                                                                              SecuriteInfo.com.Win32.Evo-gen.28489.31883.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • ipinfo.io/json
                                                                                                                                                                                                                              Raptor.HardwareService.Setup 1.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • ipinfo.io/ip
                                                                                                                                                                                                                              Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                                                                                                                                                              • ipinfo.io/
                                                                                                                                                                                                                              Conferma_Pdf_Editor.exeGet hashmaliciousPlanet StealerBrowse
                                                                                                                                                                                                                              • ipinfo.io/
                                                                                                                                                                                                                              w.shGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                                              • /ip
                                                                                                                                                                                                                              Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • ipinfo.io/ip
                                                                                                                                                                                                                              Raptor.HardwareService.Setup_2.3.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                              • ipinfo.io/ip
                                                                                                                                                                                                                              uUsgzQ3DoW.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                              • ipinfo.io/ip
                                                                                                                                                                                                                              8BZBgbeCcz.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                                              • ipinfo.io/ip
                                                                                                                                                                                                                              172.67.181.34bUWKfj04aU.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                                ZS5jpAYEAc.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                  SecuriteInfo.com.W64.Agent.IKW.gen.Eldorado.16971.8931.exeGet hashmaliciousLummaC, MicroClipBrowse
                                                                                                                                                                                                                                    193.233.132.56SecuriteInfo.com.Win32.TrojanX-gen.22693.32340.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                                                                                    • 193.233.132.56/Pneh2sXQk0/index.php
                                                                                                                                                                                                                                    SecuriteInfo.com.Win32.PWSX-gen.580.27252.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                                                                                    • 193.233.132.56/Pneh2sXQk0/index.php?wal=1
                                                                                                                                                                                                                                    4fMLTRkOfB.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                                                                                    • 193.233.132.56/Pneh2sXQk0/index.php
                                                                                                                                                                                                                                    file.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                                                                                    • 193.233.132.56/Pneh2sXQk0/index.php
                                                                                                                                                                                                                                    SecuriteInfo.com.Win32.PWSX-gen.29653.14309.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                                                                                    • 193.233.132.56/Pneh2sXQk0/index.php
                                                                                                                                                                                                                                    SecuriteInfo.com.Win32.PWSX-gen.29871.25289.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                                                                                    • 193.233.132.56/Pneh2sXQk0/index.php
                                                                                                                                                                                                                                    V28EuIqeda.exeGet hashmaliciousLummaC, PureLog Stealer, RisePro StealerBrowse
                                                                                                                                                                                                                                    • 193.233.132.56/Pneh2sXQk0/index.php
                                                                                                                                                                                                                                    SecuriteInfo.com.Win32.PWSX-gen.14048.7584.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RisePro StealerBrowse
                                                                                                                                                                                                                                    • 193.233.132.56/Pneh2sXQk0/index.php
                                                                                                                                                                                                                                    IqMDm7pxzh.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RisePro StealerBrowse
                                                                                                                                                                                                                                    • 193.233.132.56/Pneh2sXQk0/index.php
                                                                                                                                                                                                                                    hDt1NKHx4j.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RisePro StealerBrowse
                                                                                                                                                                                                                                    • 193.233.132.56/Pneh2sXQk0/index.php

                                                                                                                                                                                                                                    Domains

                                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                                    ASNs

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    GOOGLE-AS-APGoogleAsiaPacificPteLtdSGCheater Pro 1.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 34.117.188.166
                                                                                                                                                                                                                                    Cheat Lab 2.7.2.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 34.117.188.166
                                                                                                                                                                                                                                    pQTmpNQX2u.exeGet hashmaliciousDCRatBrowse
                                                                                                                                                                                                                                    • 34.117.186.192
                                                                                                                                                                                                                                    https://csactivation.carestreamdental.com/ViewSwitcher/SwitchView?mobile=True&returnUrl=https://bpy.us/moTxvQ3E4RAm3ToTxn2APa4RAchQ3E4RAD5QyD5Qm3TQ3EmD5Qz01coTxm&mc=101631Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 34.117.33.233
                                                                                                                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                                                                    • 34.117.186.192
                                                                                                                                                                                                                                    dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                                                                    • 34.117.186.192
                                                                                                                                                                                                                                    Sp#U251c#U0434ti.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 34.117.186.192
                                                                                                                                                                                                                                    SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeGet hashmaliciousGlupteba, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                    • 34.117.186.192
                                                                                                                                                                                                                                    EpsilonFruit.exeGet hashmaliciousPafishBrowse
                                                                                                                                                                                                                                    • 34.117.186.192
                                                                                                                                                                                                                                    Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                                                                    • 34.117.186.192
                                                                                                                                                                                                                                    FREE-NET-ASFREEnetEUCheater Pro 1.6.0.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 185.103.100.31
                                                                                                                                                                                                                                    Cheat Lab 2.7.2.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 147.45.67.1
                                                                                                                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                                                                    • 147.45.47.93
                                                                                                                                                                                                                                    dendy.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                                                                    • 147.45.47.93
                                                                                                                                                                                                                                    SecuriteInfo.com.Win64.CrypterX-gen.2144.26023.exeGet hashmaliciousGlupteba, PureLog Stealer, zgRATBrowse
                                                                                                                                                                                                                                    • 193.233.132.175
                                                                                                                                                                                                                                    Q73YlTAmWe.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                                                                    • 147.45.47.93
                                                                                                                                                                                                                                    file.exeGet hashmaliciousRisePro StealerBrowse
                                                                                                                                                                                                                                    • 147.45.47.93
                                                                                                                                                                                                                                    https://casestudybuddy.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                    • 147.45.47.87
                                                                                                                                                                                                                                    PBZcC2ge1z.exeGet hashmaliciousPureLog Stealer, RHADAMANTHYSBrowse
                                                                                                                                                                                                                                    • 147.45.77.238
                                                                                                                                                                                                                                    file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                                                                                                                                    • 193.233.132.175
                                                                                                                                                                                                                                    CLOUDFLARENETUSTiKj3IVDj4.exeGet hashmaliciousMint StealerBrowse
                                                                                                                                                                                                                                    • 104.26.12.205
                                                                                                                                                                                                                                    mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                                                                                                                                                                                                                    • 172.67.169.128
                                                                                                                                                                                                                                    mdWXrbOxsY.exeGet hashmaliciousXehook StealerBrowse
                                                                                                                                                                                                                                    • 172.67.169.128
                                                                                                                                                                                                                                    http://wzxqi.theknittingdoula.com/ghoopuh/lopwiuiyeGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                    • 104.21.71.20
                                                                                                                                                                                                                                    KZWCMNWmmqi9lvI.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                    • 104.26.12.205
                                                                                                                                                                                                                                    Payment.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                                    • 104.26.13.205
                                                                                                                                                                                                                                    DOCUMENTS OF OWNERSHIP AND PAYMENT REQUIREMENTS.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                                                                                                                                                                                                    • 104.26.12.205
                                                                                                                                                                                                                                    Gcerti Quote.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                                                                                                                                                    • 104.26.12.205
                                                                                                                                                                                                                                    Arba Outstanding Statement.exeGet hashmaliciousAgentTesla, PureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                                    • 104.26.12.205
                                                                                                                                                                                                                                    wFtZih4nN9.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                    • 104.28.24.146

                                                                                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                                                                                    No context

                                                                                                                                                                                                                                    Dropped Files

                                                                                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewB[1].exebUWKfj04aU.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                                      Ux0uyPZABV.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRATBrowse
                                                                                                                                                                                                                                        l2ZKczbGRq.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                                                                                                                                                                                          uQeIMs91Vh.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, RisePro Stealer, zgRATBrowse
                                                                                                                                                                                                                                            2ZQkFRoMrY.exeGet hashmaliciousAmadey, PureLog Stealer, RedLine, SmokeLoader, XWorm, zgRATBrowse
                                                                                                                                                                                                                                              SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exeGet hashmaliciousAmadey, Mars Stealer, PureLog Stealer, RisePro Stealer, SmokeLoader, Stealc, VidarBrowse
                                                                                                                                                                                                                                                gIw6kp4lSq.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                                                                                                  cA6B2WCbew.exeGet hashmaliciousAmadey, RisePro StealerBrowse
                                                                                                                                                                                                                                                    EIrPdlD2lA.exeGet hashmaliciousLummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLineBrowse
                                                                                                                                                                                                                                                      Q6fbRObs8j.exeGet hashmaliciousAmadey, RisePro StealerBrowse

                                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                                        C:\ProgramData\MPGPH131\MPGPH131.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):2310656
                                                                                                                                                                                                                                                        Entropy (8bit):7.95158059421594
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:49152:SeF1xn14/3wSmwAkB8FZOGlapkS7lHVdv1m8dhu7EmtpeJb8oVU:/1xn1nSmwAY8FPlC5H/vYWg7nSIUU
                                                                                                                                                                                                                                                        MD5:FDA558788F4A8C86423D97EE694671FC
                                                                                                                                                                                                                                                        SHA1:6E211175DD2CB84BE39EE42D1D9CFFD8D88EE4B1
                                                                                                                                                                                                                                                        SHA-256:A17926575BF705C38D2D8076B379DFCDC937BCF4C1EE149F1B119DAF0FC2AA6C
                                                                                                                                                                                                                                                        SHA-512:F2AC10F0982A66A71155F03B91BC979ADF726AE423B3CBAC0A8B578E3808FDEA0B75F0A88037DAB8B0492A5EB1AF808C881FA7ECA5AA6D7E945074A6992B664D
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......P.....t...t...t._.w...t._.q...t._.s...t.......t...p...t...w...t...q.O.t._.p...t._.r...t._.u...t...u.4.t..|}...t..|t...t..|....t......t..|v...t.Rich..t.........PE..L......f...............'.4...2........X......P....@...........................X.......#...@...........................X.L...m........P.......................X.............................\.X.............................t...@................... . .@.......>..................@....rsrc.......P.......N..............@....idata ............................@... .0*.. ......................@...ylghxgim.p...P?..l..................@...rirxhfbq......X......@#.............@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:Extensible storage user DataBase, version 0x620, checksum 0xbbe7aa5b, page size 16384, DirtyShutdown, Windows version 10.0
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1310720
                                                                                                                                                                                                                                                        Entropy (8bit):0.7555543627400935
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:NSB2ESB2SSjlK/svFH03N9Jdt8lYkr3g16xj2UPkLk+kLWyrufTRryrUYc//kbxW:NazaSvGJzYj2UlmOlOL
                                                                                                                                                                                                                                                        MD5:E7FE25D81011E9DC98A90DF014F46FF8
                                                                                                                                                                                                                                                        SHA1:E4069CD7B5DD29D5C7678A471ED3597DCEB7C2B7
                                                                                                                                                                                                                                                        SHA-256:610DB47473C62B9F8C6D37EA1BBC845D5269BC3DF358A481E834B83F8261C766
                                                                                                                                                                                                                                                        SHA-512:B7F8AB154B119A5E8CF4BFAE9E2853395E25BF9E68AA3354AE3C57658767E9E3890B406468A48D9D9121E6E09407307C3CA5AE8971C5F72F6BD746EABFA6325B
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:..[... .......7.......X\...;...{......................0.e......!...{?..5...|..h.g.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... .......9....{...............................................................................................................................................................................................2...{..................................35l..5...|...................".p.5...|...........................#......h.g.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_a5ec9b9566c610d9b294995737cb6443cac2c310_71691813_5f06b2c9-3767-4944-9d24-01680277df13\Report.wer

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                                                                        Entropy (8bit):1.0661042528204128
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:s9YlXAzK83dp005D2e6E6jjbdnZrxLZOzuiFCZ24IO8d6t:5kKCdK05D2xjXOzuiFCY4IO8q
                                                                                                                                                                                                                                                        MD5:41D02044B1A85F89BBB641D0E5B953C7
                                                                                                                                                                                                                                                        SHA1:41A6A2FCFCB9496D393C7AFF27EEF46DABABF8D0
                                                                                                                                                                                                                                                        SHA-256:E5FC2D9E2849886DA9AFA5B35728E50C85A6E35E7EF633EEF125F63A1F172DC4
                                                                                                                                                                                                                                                        SHA-512:F5F5580D8E94C4CBAEC0B3845143CC2464E1F8806082745392B9B5933A3834E4276AE2AEFA3549317641B010963D4DE57024BF8ABB7479EEB03310DD80D1562A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.4.7.2.4.1.2.8.4.2.0.1.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.9.4.7.2.4.2.4.3.8.6.7.3.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.f.0.6.b.2.c.9.-.3.7.6.7.-.4.9.4.4.-.9.d.2.4.-.0.1.6.8.0.2.7.7.d.f.1.3.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.8.8.e.a.c.5.5.-.d.a.1.6.-.4.b.b.9.-.b.6.a.a.-.a.2.0.2.e.7.0.4.9.1.5.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.w.p.a...d.l.l.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.2.2.2.4.-.0.0.0.1.-.0.0.1.5.-.0.b.d.2.-.4.b.7.e.d.2.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.3.f.8.9.e.b.f.a.e.e.9.5.3.f.9.e.3.a.f.4.1.a.f.b.b.f.2.6.5.b.b.0.0.0.0.0.9.0.4.!.0.0.0.0.6.e.2.1.1.1.7.5.d.d.2.c.b.8.4.b.e.3.9.e.e.4.2.d.1.d.9.c.f.f.d.8.d.8.8.e.e.4.b.1.!.M.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_a5ec9b9566c610d9b294995737cb6443cac2c310_71691813_a1125ec3-1c1c-4976-9b4c-ef8894e8ecb8\Report.wer

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                                                                        Entropy (8bit):1.0724874834638738
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:d3O0lTAz583dp005D2e6E6jjL67Zr9qWJzuiFCZ24IO8d6t:dhg5CdK05D2xjwJzuiFCY4IO8q
                                                                                                                                                                                                                                                        MD5:D5BE8EADBF5CA6B51C2BE3EC9463625A
                                                                                                                                                                                                                                                        SHA1:A32497A4C70F384D5FAA21460595348F818AC3F6
                                                                                                                                                                                                                                                        SHA-256:88543FEFD789BFD47915CD2F5D54519360E68961B32670A56870167C6BEE8C62
                                                                                                                                                                                                                                                        SHA-512:79D4A42292AC22A6503A8DA7609B3EA5D7C13C21DE43EF83729C26A65ED882D2A753401CBB723CEA714512F1A2A4C94F1CB34CF6DA9CB6E70848D60F2377539D
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.4.7.2.3.9.3.8.1.3.2.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.9.4.7.2.4.2.1.5.2.1.2.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.1.1.2.5.e.c.3.-.1.c.1.c.-.4.9.7.6.-.9.b.4.c.-.e.f.8.8.9.4.e.8.e.c.b.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.c.c.d.6.e.c.-.9.4.0.2.-.4.1.1.b.-.a.a.5.7.-.1.f.1.d.3.4.c.1.1.4.b.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.w.p.a...d.l.l.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.2.2.d.0.-.0.0.0.1.-.0.0.1.5.-.5.2.7.e.-.0.9.7.e.d.2.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.3.f.8.9.e.b.f.a.e.e.9.5.3.f.9.e.3.a.f.4.1.a.f.b.b.f.2.6.5.b.b.0.0.0.0.0.9.0.4.!.0.0.0.0.6.e.2.1.1.1.7.5.d.d.2.c.b.8.4.b.e.3.9.e.e.4.2.d.1.d.9.c.f.f.d.8.d.8.8.e.e.4.b.1.!.M.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_a14d081f84.exe_fe23fb6a3568e846017eb65f66ac7b75790b9_cafebd1a_7430378d-a09c-43b4-ac66-761cff992461\Report.wer

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):65536
                                                                                                                                                                                                                                                        Entropy (8bit):1.082032002325109
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:34ZuGc0S0tUb0gjL67Zr96nIzuiFCZ24IO8t:oZuGc0ZtUb0gjJIzuiFCY4IO8t
                                                                                                                                                                                                                                                        MD5:7BB7F8FDA314132B62E6F9B977EEEB95
                                                                                                                                                                                                                                                        SHA1:E102DC12BEE9ED215DF8BDA4660F8BC3AD0F6231
                                                                                                                                                                                                                                                        SHA-256:A7587F16410B8D94A2223721CD61A38F29F5AEC82ECBD59D3C16D6E08CCC3DAC
                                                                                                                                                                                                                                                        SHA-512:BFD0C54A195B027DCD0B5A06F69B36FB80E651DD5E41FA3D6AB02DA409994C6C1220B8FABCD90994EAB1EFB6E847BBC389DC10209A3EB6C6BECCC46550E0DAE9
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.7.9.4.7.2.3.1.6.3.2.6.9.4.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.7.9.4.7.2.3.3.5.3.8.8.7.5.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.4.3.0.3.7.8.d.-.a.0.9.c.-.4.3.b.4.-.a.c.6.6.-.7.6.1.c.f.f.9.9.2.4.6.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.5.1.f.2.7.2.f.-.1.d.b.1.-.4.f.7.e.-.a.9.f.5.-.0.8.1.f.a.a.d.1.f.8.b.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.a.1.4.d.0.8.1.f.8.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.w.p.a...d.l.l.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.b.0.-.0.0.0.1.-.0.0.1.5.-.1.3.d.1.-.1.4.7.a.d.2.9.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.c.3.f.8.9.e.b.f.a.e.e.9.5.3.f.9.e.3.a.f.4.1.a.f.b.b.f.2.6.5.b.b.0.0.0.0.0.9.0.4.!.0.0.0.0.6.e.2.1.1.1.7.5.d.d.2.c.b.8.4.b.e.3.9.e.e.4.2.d.1.d.9.c.f.f.d.8.d.8.8.e.e.4.b.1.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER105E.tmp.dmp

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 20:53:52 2024, 0x1205a4 type
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):264062
                                                                                                                                                                                                                                                        Entropy (8bit):1.4590450158148753
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:768:XgkkW5vFkhmSt9PGQWhb7YFxAC8+W3PrLDIuWf4x/YPr8:XhShmSjP8RTLDI9fc/x
                                                                                                                                                                                                                                                        MD5:DFBD6F03A228F11D2B680487E865E539
                                                                                                                                                                                                                                                        SHA1:FB138FF997B3CEAC00D9A7DC9CB4AED077BB128C
                                                                                                                                                                                                                                                        SHA-256:76EFD80A09802878B3A544E099566A8B482B75A54DAB475B6B31D087B626F109
                                                                                                                                                                                                                                                        SHA-512:6C8EEC7DC31FE1AEB007AA299C1C9842D19FCD0FB4C5122625A4BA37E149DC1034BDEE96A966B80E6381AC25C5B1D4E729074DAED0C31C0D5CEA682DDD469AC6
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:MDMP..a..... .......`.!f............4...........p...H.......l....(......t...............`.......8...........T............Q..............$)...........+..............................................................................eJ.......+......GenuineIntel............T...........M.!f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER162C.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):8378
                                                                                                                                                                                                                                                        Entropy (8bit):3.7021672910216665
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:R6l7wVeJcG6N6Y1ut6vgmfNJlW0prR289bBXsfZrm:R6lXJV6N6Y1c6vgmfNJlWWfBcfI
                                                                                                                                                                                                                                                        MD5:BE035944EBB4EA5C41949270538A7672
                                                                                                                                                                                                                                                        SHA1:F6924967AF7F2933039426C95A610B3C9755A1B7
                                                                                                                                                                                                                                                        SHA-256:96CE4E20AB2F023BE7E9B052B782ED1141C0BB64368D46ACE67B259B1E024BFF
                                                                                                                                                                                                                                                        SHA-512:A2DA7CC59D9A336BF120BB2D64ACD07A0982C6F0CC61D3D0B84660085210D56C51706FBF636E041996D4709F5D991789928E3377C11A79D03F63D93AC4DA7634
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.5.6.<./.P.i.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER167B.tmp.xml

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):4700
                                                                                                                                                                                                                                                        Entropy (8bit):4.495293813775606
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:cvIwWl8zsgJg77aI9vsWpW8VYGYm8M4JxkFlKP+q8/qDmbBC/ed:uIjfmI7hF7VKJxzDmbBC/ed
                                                                                                                                                                                                                                                        MD5:5B60C89CEB6AC971F18425989555CA08
                                                                                                                                                                                                                                                        SHA1:CC92DC413BB0FCEABC2330C7AB46AC7493F0B446
                                                                                                                                                                                                                                                        SHA-256:A39AB29E3C181479AEC4749EC8A1EF0D0C1F49541B4D7F01B22A24D085110423
                                                                                                                                                                                                                                                        SHA-512:BBD08B95DA2B8BD69C04AF4681EBBCBEE3E94C77FD886795889934DB48BE3EF822AA5B8B15A119135B68EDF0D4EC2A4AAA9B135D5C2A65FA512D656459CDC81C
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285836" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1688.tmp.csv

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):94648
                                                                                                                                                                                                                                                        Entropy (8bit):3.0674093974510788
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:exYHrAvCtCb/Wf32ahki5frCTl3h/CPTRe99F5X0hKp2oi9YUt4Ia:exYHrAvCtCb/Wf32ahki5frCTl3h/CPI
                                                                                                                                                                                                                                                        MD5:1537041EA6ADEC229C3F046A843F3AE9
                                                                                                                                                                                                                                                        SHA1:18D0B6F758816C62402D366ACCF9CA4DD6FABA0B
                                                                                                                                                                                                                                                        SHA-256:4454C1B8BF51C263B0210F0B2AD5912D4954E858CCEE3280A6398425D62C6703
                                                                                                                                                                                                                                                        SHA-512:240357F7225A3C9A48D08DF526538EB0FC3E85C1B59D25E1D10D08700A340328C09301E4C9934BA8362DC374F4058B5A2C889696F4FF21D8A7CE062BDE51CD4B
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1793.tmp.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                                        Entropy (8bit):2.6860978736532677
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:TiZYW4ImGiAYNYfrWNHdYEZ8qtoi3MZb+wMYgPNmajQWMGC/It+RY3:2ZD4E6cVgkajQWMGCQtOY3
                                                                                                                                                                                                                                                        MD5:28792AAD7D36846E003076CC335E9BA2
                                                                                                                                                                                                                                                        SHA1:FBF4E21920751C870ED73EB09406813E25D7CAB4
                                                                                                                                                                                                                                                        SHA-256:ABA5CB903844F8BB60B2436E977BB7CDFF90818F8F200EFDF9C2BCE0A6739EA9
                                                                                                                                                                                                                                                        SHA-512:2DA73423DE5D46EA0575150B7A023A46EF5C78CA8B5B9FE48DF7CEECCC56708329EA173E4DB354DE6A033F2F5D57E0422244D62487A6BCDE0EDCC08D9402EA6D
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1CCD.tmp.csv

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):104478
                                                                                                                                                                                                                                                        Entropy (8bit):3.0670759245069283
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:hQ1Plj9OGvEGVHvxUQgHGoAKNyE+xQhdOio+nP5bibOWF/S5w:Iz
                                                                                                                                                                                                                                                        MD5:396313C49CA3CCF42A58EA54E1DA1302
                                                                                                                                                                                                                                                        SHA1:6D8A041FBE59E19E764C6EA23CC48BB6C7DED450
                                                                                                                                                                                                                                                        SHA-256:9D40BA43242541CC82E06CDE28E5779DC5B5B1C0C6EEE219A1C6F733F1973F94
                                                                                                                                                                                                                                                        SHA-512:FB88CB8C0EBF5A6753123A1D7AEFABF9EBFF6B27EB2837E9BB147A050F7DA4A41CB312746D1551ABA6966DD1E8702EDB9B979F5BE5047CBEDEDD6713B1C6C82E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER1D3C.tmp.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                                        Entropy (8bit):2.6987095055741546
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:TiZYWR4fz4HzY/YLW/H+YEZOOtoiQ+du2w3+O5aFuz7XMGVcIbwC:2ZDro35x5aFunMGVbbwC
                                                                                                                                                                                                                                                        MD5:8B72693D11240C0D7C57044FA9AAE1FC
                                                                                                                                                                                                                                                        SHA1:65B5F833866635E08438386B882111B9239FBC7C
                                                                                                                                                                                                                                                        SHA-256:3A2D8625BAC756B805A75E0E7EC4E98C7E381610B45225D17AC18C1FB1DE6593
                                                                                                                                                                                                                                                        SHA-512:7C2148A7831B861E95132988B95F88539EBDF69EE3E6F71DA71D2D17572FD544E9C36979E1F311C64D7F1FDEC68056B19C23C67A6FE6AA4C09C569C273F5E843
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3329.tmp.dmp

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 20:54:01 2024, 0x1205a4 type
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):271938
                                                                                                                                                                                                                                                        Entropy (8bit):1.4498836205114543
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:768:G8GekvsCW5vUyL/PO/9cCsDZkVLvhBjUa+mLp:iPsN3/PO9cC5VfUa+wp
                                                                                                                                                                                                                                                        MD5:5278CEAF009C87F72321CC0AE50DF15C
                                                                                                                                                                                                                                                        SHA1:43E190848F56DE34373C8B7413F15227555383DF
                                                                                                                                                                                                                                                        SHA-256:90E221F722ED990E4C49FC180215C27E332DB989B30DEC1E494D4CE3C651F6BD
                                                                                                                                                                                                                                                        SHA-512:AE00BB505F6530067D2A923151E12045D6753BB40ADD5D7092C25A201715C405DB579ACEE9ED6EFC754A44AA6BA2946D5B8A2029D04BFC2E645CF6BA0B022976
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:MDMP..a..... .......i.!f............d...........p...x.......l....(......................`.......8...........T...........xQ..............T)..........@+..............................................................................eJ.......+......GenuineIntel............T........"..T.!f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3665.tmp.dmp

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:Mini DuMP crash report, 15 streams, Thu Apr 18 20:54:01 2024, 0x1205a4 type
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):268290
                                                                                                                                                                                                                                                        Entropy (8bit):1.4608152765413576
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:768:Ckb9XzK5vjqswQIAuxbD/oBjhPmD5Cpvjx4v:1AwMuXoGDsd4
                                                                                                                                                                                                                                                        MD5:D6D93E02E5B96231BA7500DBABF8A257
                                                                                                                                                                                                                                                        SHA1:7229D8F3A2C675020A08577949283E67ED897298
                                                                                                                                                                                                                                                        SHA-256:AC55EAD82AF9DB71756BE9E0EFCB4F9510F6B4441DACE1DE3C5CD9AE48A6891A
                                                                                                                                                                                                                                                        SHA-512:9D81D64E73186E152CF5CECF3820591EE60C1A5F66849BC1983BD239BE60F4C5F2DE627DEF14A8C1AF1B39C64D2A13DC1210A4ABD26C12AE8600F45F1ADC5542
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:MDMP..a..... .......i.!f............d...............x.......l...|(......$... ...........`.......8...........T...........`P...............(...........*..............................................................................eJ......l+......GenuineIntel............T.......$"..T.!f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3712.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):6358
                                                                                                                                                                                                                                                        Entropy (8bit):3.7263816939218577
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:R6l7wVeJjuZ6bCzYiZFJlm9prA89bxysf0YBbm:R6lXJM6bOY6FJlm9xxfy
                                                                                                                                                                                                                                                        MD5:6F8001BC355E5DEB91392208E1832BFA
                                                                                                                                                                                                                                                        SHA1:1FEF68B03523F7CDDC55BC4DBE455A1E68B66699
                                                                                                                                                                                                                                                        SHA-256:8F4A47E6F45778B34349CDC85F63F9DB9E3FAFEA2F60A9606311BA3A367EED36
                                                                                                                                                                                                                                                        SHA-512:1A7B37D9847C441BCEEB6AFA770A4B362D028262FE2F0F72DC06B9544548E65D57212DBE0948EAF1D76B0AF62DF336475E1F6FA2C035D2BD6D67DE16E3642B17
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.9.1.2.<./.P.i.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3761.tmp.xml

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):4690
                                                                                                                                                                                                                                                        Entropy (8bit):4.50870850215405
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:cvIwWl8zsgJg77aI9vsWpW8VYmYm8M4JB5FzT+q8cA2DmbBCbpd:uIjfmI7hF7VyJhT9DmbBCbpd
                                                                                                                                                                                                                                                        MD5:72E2E97213EECCCDE423333370B5241C
                                                                                                                                                                                                                                                        SHA1:20C065AE66C24110A6912D704F957965CE88B418
                                                                                                                                                                                                                                                        SHA-256:5000CDC082C7F61F36C2D426D0A414F4B3C04E412E2E7E0014750276618117AC
                                                                                                                                                                                                                                                        SHA-512:592BBE005594F6ECAF5F7AAF7A953581FD7F090FB4E6B1B2526D6A268C1765A2AF21C220FF42A621249841819E72FBAE114BA335110135693A0DB555EBED889B
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285836" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER37CE.tmp.csv

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):95344
                                                                                                                                                                                                                                                        Entropy (8bit):3.0670245762865522
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:3JkwbAa/h+sf2YV2ahkzrCTl3h/CPTRe99F5X0hKp2SPXitqS:3JkwbAa/h+sf2YV2ahkzrCTl3h/CPTR5
                                                                                                                                                                                                                                                        MD5:5BE58A15393A6F1FFA50CB5C6626B98A
                                                                                                                                                                                                                                                        SHA1:55BEC001F4F26E1C0C9E2FE9C4FB5FD1301E0B30
                                                                                                                                                                                                                                                        SHA-256:45962A340EC728B69C0718318791061B3F295F2D6B16E65BB280B6BADF339F9F
                                                                                                                                                                                                                                                        SHA-512:C945780DED1C90495030D5867CF3F1890656ACA2EE81CBCDAD4B1B51E5C7C4F32DB3120C4EACED3E672BBF600AB7DEA4D133A6533E04E4800904BAA44F82576A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER385A.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):6360
                                                                                                                                                                                                                                                        Entropy (8bit):3.7271825238372296
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:R6l7wVeJSXuF6MYiZFJlm9pr189bxOsf4bm:R6lXJSk6MY6FJlmixNfJ
                                                                                                                                                                                                                                                        MD5:7F1CFB5A8FFF8DDD683B2AA4405592A5
                                                                                                                                                                                                                                                        SHA1:C830485FDAF8D18A4F69D8795F0AFB6C3FD8E436
                                                                                                                                                                                                                                                        SHA-256:C268D6DF79BBE679A4952E12B62CFD7A1DF78C27FA40BDFBC46A452A03E8805A
                                                                                                                                                                                                                                                        SHA-512:78C819187FDB1027635432FEBDF40A93DB955E20F36FA873ED220EBF0E4D717056612F14D4B086BD3A815AEECCD84876E75AD6F76DB8703FED2D60A4E7788DFF
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.7.4.0.<./.P.i.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER386A.tmp.xml

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):4690
                                                                                                                                                                                                                                                        Entropy (8bit):4.507740584557573
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:cvIwWl8zsgJg77aI9vsWpW8VYNYm8M4JB5FMq+o+q8caeDmbBCbod:uIjfmI7hF7VFJv+oSeDmbBCbod
                                                                                                                                                                                                                                                        MD5:4D1CB7C78BE67EB98D9710201B9A5F0A
                                                                                                                                                                                                                                                        SHA1:9A80C0F643BC291E18FDB88368E9584542F1DE2A
                                                                                                                                                                                                                                                        SHA-256:385E1C4FAA152E09084505D0C6D403B0824FB8B16652C770793FBE0F427C15FC
                                                                                                                                                                                                                                                        SHA-512:7CAC7D14131C38DE08A5D21F10236A4D26008C2D953A1F164BD24779C6F465C3AEE201DE54AD33B9A16CE1D0C2378A64B196C15C2DCDD7FD32C46509CE789A37
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="285836" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3917.tmp.csv

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):95354
                                                                                                                                                                                                                                                        Entropy (8bit):3.067066066887562
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:R1gxInAa/hwc7X2YV2ahk5rCTl3h/CPTRe99F5X0hKp2hyXYtRlg:R1gxInAa/hwc7X2YV2ahk5rCTl3h/CPW
                                                                                                                                                                                                                                                        MD5:1152E6D0AF069CE8D69E40487C642FD2
                                                                                                                                                                                                                                                        SHA1:2D5C58DCD78A862E9089F3DC18579674831F6800
                                                                                                                                                                                                                                                        SHA-256:B1D3A351C7C0804B2E78598DBCBDA2CA64C908ED64BF75F35DD06F34CF2E492E
                                                                                                                                                                                                                                                        SHA-512:436D7DB8F35C344EDA8CF97946772C0A68AE99DAD24B89367538BC494CF920041B27E1841B3E2585B63FBEAE0FBCDD7614A177A2D143A8094C9B76DF76C308ED
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3928.tmp.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                                        Entropy (8bit):2.686710017252667
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:TiZYWuM8iHtfzYWY25WvHXYEZH8CtoiOMub+w43saaA22gQMieyDmI1II3:2ZDuatzB48A5ar2gQMNIh1II3
                                                                                                                                                                                                                                                        MD5:BE66BEE4E8E77E7CD6992B6D6D44F25C
                                                                                                                                                                                                                                                        SHA1:84B99BC1EF116DF0709DEE3D63494BE6F12E033B
                                                                                                                                                                                                                                                        SHA-256:5DB89C9452D27F423B254D7B2ED2CFDD3C02C5250C5E852BEAE6CA36F1D1D5A3
                                                                                                                                                                                                                                                        SHA-512:F9BC603CEF8A2E0B6F852C7B1E4E23B776983F7E6F2645C6E0DF28C44D93DBE25C8BC5FB777FA35F00873C6F8E2BBB69C460A4D300BCADF908301514CEE60F18
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3A42.tmp.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                                        Entropy (8bit):2.6866665762002273
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:TiZYWqx5KkpYwYqQWnHXYEZ3atoiAMub+wYEea12gRM831ItLII3:2ZDY33CXa12gRM83KtLII3
                                                                                                                                                                                                                                                        MD5:82CEC6E5EB410933B1DAD6A8916B0DAB
                                                                                                                                                                                                                                                        SHA1:5FFA4B78665C19E2B34F8E5083E570D835247FB0
                                                                                                                                                                                                                                                        SHA-256:3DE1BB7E2F5097F7D14A637E9320807F8EF2236866458D6E3385597AC920E379
                                                                                                                                                                                                                                                        SHA-512:2E0A57E43A4669DC9B137AF1DA2C6F16FFBB17858221A11809E7BF45DFA0F9C7C78F33E140D5695C73BA9F784B3243AA1C25B0FC8576F1B43B94BB208353C601
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER3FD8.tmp.csv

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):107500
                                                                                                                                                                                                                                                        Entropy (8bit):3.0669082878410703
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:sMYzSGXTCuSvxogXJoAKNyE+xQhdOio+UyRv4bubGn10PjP0GGS9j4:ks
                                                                                                                                                                                                                                                        MD5:940DD38E1CA7BB2CD0D30A9B839C1172
                                                                                                                                                                                                                                                        SHA1:60CF7DF9A9083F2F7D6428B1AAD05E72A10B7A2C
                                                                                                                                                                                                                                                        SHA-256:963859CF90F11FCDA9ECDFDE7F95472887801BF3DF0EE0696FBD56E4126EF973
                                                                                                                                                                                                                                                        SHA-512:C3491BC9D3EE29CD2B3AF4DF7F212F386DA7099D610809305093E4CD78AAB686AE45390C9F0025F65A60E5409EAB4AE4344FAB729DF197357A3D675EC0D0FAB3
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER4315.tmp.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                                        Entropy (8bit):2.6991277718891813
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:TiZYWUWt21YSYQTW4hH7YEZs2toi1+quAw+bBawuKMkVgIlwZ:2ZDSFt1kElawuKMkV3lwZ
                                                                                                                                                                                                                                                        MD5:A85474E5F20AA38279646EF50B146959
                                                                                                                                                                                                                                                        SHA1:22153A490FD1DCED3106F03AD305FCFCAF649F5E
                                                                                                                                                                                                                                                        SHA-256:EA0D8D866CBB88BE495B7FF0ADB14597124673EAFD230A125D9A313B20250CEF
                                                                                                                                                                                                                                                        SHA-512:5C1910B22FF6C5AB2685E3DE81FF454F963A26A214BAEADB4EFB846180F4C681129EB5908F136037AA17603F40E49808EDB8D5AC7EBE9CB5CAD9A9FA121A65A3
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER461.tmp.csv

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):108398
                                                                                                                                                                                                                                                        Entropy (8bit):3.062392663992872
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:VL3lvC9bGe8tpr0vxZWVGoAKNyE+xQhdOio+O81NB8qbxbUoM751gV:ht
                                                                                                                                                                                                                                                        MD5:B70EB7C610BF9CD9F38870CB9335022E
                                                                                                                                                                                                                                                        SHA1:56A33592E910FA965DB0655AAB5742E1897EC7D5
                                                                                                                                                                                                                                                        SHA-256:A00B0F5FE3DDBF25C3C44B6D46D35BFE0D90989DD48DEBCB901847D09AC5B77C
                                                                                                                                                                                                                                                        SHA-512:0D0F7723EAA7EEB162AF11D68CBC4BBEAA55AC9031456BF3728BA974D00DA3D383072C080292627AAE6BDE7DED10B199993A74E53B954EC8D6F683A6AEE0465F
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER5424.tmp.csv

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):95878
                                                                                                                                                                                                                                                        Entropy (8bit):3.065523453638402
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:WW6kSX7QcG2tY/nYV2ai1kjoAKNyE+xQhdOio+oZlVtLp44m:WW6kSX7QcG2tY/nYV2ai1kjoAKNyE+xO
                                                                                                                                                                                                                                                        MD5:803C69AB51CC5A63B5D05CB13D8189BF
                                                                                                                                                                                                                                                        SHA1:DA584A49DB95657A7D19E534FA15FF658B72EB76
                                                                                                                                                                                                                                                        SHA-256:CECCA62A1E2ADDB9752A90226BA3E713E688880F1DB73E3DAD1FBD3429CE39FF
                                                                                                                                                                                                                                                        SHA-512:0C5A547C79D02F606A302252D602E3CB37CBC2E1538AB5BC55CCE5D4456FB81290A1CA32B98FDD8D6880836BE6EAA29E22B12158F5D20F51CD7CF6BF6A2380F3
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WER54B2.tmp.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                                        Entropy (8bit):2.686480203829008
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:TiZYWbGBSOYFOYvWBplzHvYEZ2TLtoi7MkuLtw0hBlt9eauuQMcTo3I1w3:2ZDWKOZMQTnEauuQMcToY1w3
                                                                                                                                                                                                                                                        MD5:8DD9F41AEE9AA01E5C63B4288292558B
                                                                                                                                                                                                                                                        SHA1:8B93AF4F73BD045EBA131A99D722F1C81FFD40A1
                                                                                                                                                                                                                                                        SHA-256:686969EB91E02E573CADB80CD4EA9BA90F0130A183DB3B2D433D6CB8E03284BE
                                                                                                                                                                                                                                                        SHA-512:9784CB5ED8F02036CC73316E13F7ED1DB464502B0B177CE37E14F9D67B32DDBE3B32DC01BA830D66F241EEA2C84F831E0C3FB325857D125020A8CE2502620A92
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA2C3.tmp.csv

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):97804
                                                                                                                                                                                                                                                        Entropy (8bit):3.0632094707359503
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:xNld/z3zUVuGjEk2f+MRRqwoAKNyE+xQhdOio+NggtY8Kq:xNld/z3zUVuGjEk2f+MRRqwoAKNyE+xy
                                                                                                                                                                                                                                                        MD5:1B98606DCDE86CCBE4635BC3354CD480
                                                                                                                                                                                                                                                        SHA1:802977C0F98F07CC2B41DAA23267AF5AF41C9B50
                                                                                                                                                                                                                                                        SHA-256:BE7C581394D8E9C1295203932CD9417496194410881B3B79121C1185C5B84E0E
                                                                                                                                                                                                                                                        SHA-512:D744313A9B19F3B4B38A57D1B19C097C547BA42E71A02430DD3935BA7A9F2E87BFF7F250587DE8FAB697F990E801FEF356B74DC2E0F192F57534A7097E1277B4
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERA729.tmp.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                                        Entropy (8bit):2.693321803984109
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:TiZYWoPLJdK8YbYj5Ww7HrYEZA0toidMcu1wu1D8fykajuqMYaVSIRwa:2ZDoC88kXulC/ajuqMFV1Rwa
                                                                                                                                                                                                                                                        MD5:9C12767BFEF20E94C4B9A62EA80558C7
                                                                                                                                                                                                                                                        SHA1:9FE7808D98B22FDE065EACE3BFC9AE642634E0B2
                                                                                                                                                                                                                                                        SHA-256:8253C400738B54EF2BEE8F1910A51A87E6E0EB454C07C2E42711E9585FA482FF
                                                                                                                                                                                                                                                        SHA-512:E17C66363A96A77305D498EDE0AD04653AF885908CE6AD913943B02F1DD6BC602A9E74A3711F3B90E2CE19EB869A29A7BD1F7416247CD6A7098E4D4ACB29DB8F
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERBEAA.tmp.csv

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):100696
                                                                                                                                                                                                                                                        Entropy (8bit):3.0596936991445474
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:27qFOkR9nGuUqKdpL2fBRZoAKNyE+xQhdOio+2Lm3LgtPikQbbyy0:V
                                                                                                                                                                                                                                                        MD5:2DDC9C7ECA6C08316110EEFAD8C686A4
                                                                                                                                                                                                                                                        SHA1:67D450501A349C473B4DC37F40ACB1B404B41170
                                                                                                                                                                                                                                                        SHA-256:672231ED3C2DE88005A816A8ED168CFE5AC903F524253ADF12748DAF12134CC0
                                                                                                                                                                                                                                                        SHA-512:7DC26A94D7D524E5710656A92B22D18A8064D20186B62FE24F73B4FDA0B78F3E553805F6D673E4809AC63A45D6B445B5172FA3D86C22A6D87997E8061D17E24E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC206.tmp.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                                        Entropy (8bit):2.6947090272432486
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:TiZYW0WepDPY3YkWw7HlYEZSfnytoioMGunwNLLlaMuYMgVGYIQwG:2ZDewtujlaMuYMgV4QwG
                                                                                                                                                                                                                                                        MD5:2C91CCB96A4A731B747B29B9F7E7A89C
                                                                                                                                                                                                                                                        SHA1:4BEF2975DB1E88E0A629BC43B5D2C53F5AD23CC3
                                                                                                                                                                                                                                                        SHA-256:A54F630B2C315C0F345B939741D2CA22DE8E5AD874C8E360FFCAA48F4FCB9CE2
                                                                                                                                                                                                                                                        SHA-512:CB0308D10E1CFA31010E58216F6D23CF8C9F8C6370816532B945EFACE2438269B0865C5E6C8154ACB44602EF346247D33A482E35FADA09460F79CBABCAFB1686
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERC52.tmp.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                                        Entropy (8bit):2.6979872183580134
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:TiZYWFCeMwYkZYpWZHjYEZujtoiS+gukkwcYmDMTawuKM2VGIJwM:2ZDfnm9+TawuKM2VBJwM
                                                                                                                                                                                                                                                        MD5:B782D1CEA415A1420747A96A7A48CFDA
                                                                                                                                                                                                                                                        SHA1:6B277B1F2EC8634FD394EE0A10FD5344622F7955
                                                                                                                                                                                                                                                        SHA-256:71DF72D9F9FA5CC2DB08B6BFB229E2F00F7D292B42976C7760523549143AAE54
                                                                                                                                                                                                                                                        SHA-512:847DD74B41A2DA935436619249D5BA8B5FA5BA39391536DC541508C8DF8E10779718E75880CBE282675856D4DCD691D7650E4E4CF4FB6F65493A8981319EE8D4
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERE7A0.tmp.csv

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):105218
                                                                                                                                                                                                                                                        Entropy (8bit):3.061763004249377
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:6TllBT9Hpq1DdfqR7oAKNyE+xQhdOio+2dVGIbPbvx09:em
                                                                                                                                                                                                                                                        MD5:2020B84121084C8617EF37D716EB82F3
                                                                                                                                                                                                                                                        SHA1:E8347AF1437E6F6C864D20945D9935BB84912C1F
                                                                                                                                                                                                                                                        SHA-256:FC699B5E155009B5FDAFE20157B7D10983DFF1E8C5EF25C9C6B5890EBCCA40D0
                                                                                                                                                                                                                                                        SHA-512:B790A24E73DC6E16994612146FF7CE048BA42519BA4FDA5260103A472187834791106C30770CA24EFD40E873330871ED589BBD81D742DC8A8B1AFF666E816116
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                                                        C:\ProgramData\Microsoft\Windows\WER\Temp\WERE947.tmp.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):13340
                                                                                                                                                                                                                                                        Entropy (8bit):2.6968324966539936
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:TiZYWzS0fcYQYRWw+HH9YEZI4toiz+5uB6wu2CZsaeu9MMVlIOwH:2ZD2nI+wNVZsaeu9MMV6OwH
                                                                                                                                                                                                                                                        MD5:F8D03878364B1C1861F7CA410BA6396D
                                                                                                                                                                                                                                                        SHA1:BE26ED5E66AFC9FEDF88FEF7E0D38EC61D6E9526
                                                                                                                                                                                                                                                        SHA-256:85260BB667DABB5A696E80CDDFF1CF471497F0F2726EBA60B9296A2FAC9E5517
                                                                                                                                                                                                                                                        SHA-512:DE8458619A6EE693084D5E977B3C956A9272ABBADBD1BC97529F57E144CF5DB5AE6B38A24A51ECB9F437791102F65DE60871F8F8414335E7ABEDF0536087CF10
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewB[1].exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):428544
                                                                                                                                                                                                                                                        Entropy (8bit):6.494348537450964
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12288:5noAx+FnmuQhimtPURimLqevmipum+K4Y:5+FnmuGtpMLnLYY
                                                                                                                                                                                                                                                        MD5:0099A99F5FFB3C3AE78AF0084136FAB3
                                                                                                                                                                                                                                                        SHA1:0205A065728A9EC1133E8A372B1E3864DF776E8C
                                                                                                                                                                                                                                                        SHA-256:919AE827FF59FCBE3DBAEA9E62855A4D27690818189F696CFB5916A88C823226
                                                                                                                                                                                                                                                        SHA-512:5AC4F3265C7DD7D172284FB28C94F8FC6428C27853E70989F4EC4208F9897BE91720E8EEE1906D8E843AB05798F3279A12492A32E8A118F5621AC5E1BE2031B6
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\NewB[1].exe, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 76%
                                                                                                                                                                                                                                                        Joe Sandbox View:
                                                                                                                                                                                                                                                        • Filename: bUWKfj04aU.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: Ux0uyPZABV.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: l2ZKczbGRq.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: uQeIMs91Vh.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: 2ZQkFRoMrY.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: SecuriteInfo.com.Win32.TrojanX-gen.1033.1898.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: gIw6kp4lSq.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: cA6B2WCbew.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: EIrPdlD2lA.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        • Filename: Q6fbRObs8j.exe, Detection: malicious, Browse
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wD..3%..3%..3%..hM..=%..hM...%..hM.. %...H..!%...H..'%...H..F%..hM.."%..3%...%...K..2%...Ko.2%...K..2%..Rich3%..........................PE..L.... Me..........................................@.......................................@.................................D...x....p...........................L..P...8...................,...........@............................................text............................... ..`.rdata..............................@..@.data....F... ...4..................@....rsrc........p.......:..............@..@.reloc...L.......N...<..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\amert[1].exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1859584
                                                                                                                                                                                                                                                        Entropy (8bit):7.9540481541761885
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:49152:ljB6fba59ftmNE+uXoiR9xzTy0rt80KhKTD+qf:labsfg2rFCYLHD
                                                                                                                                                                                                                                                        MD5:47786A32E7A47031EE41BD1C2EE24B39
                                                                                                                                                                                                                                                        SHA1:ED6D9E21E9822911E4684CBBC809921CD61202F1
                                                                                                                                                                                                                                                        SHA-256:CC2A29B7284E685872510FD59383F4BF78C04FAF8A0A1EB82375EA78DBCBEA61
                                                                                                                                                                                                                                                        SHA-512:CD844182B4C9479DDBE3E32975ACA1858EACAF4ED398A24DAA9B886DC362FB911E42BAB7679AE242FC594B005DD335F89109329ED731D82C5A7CD5B25FC2FE9B
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*R..n3.@n3.@n3.@5[.A`3.@5[.A.3.@.^.A|3.@.^.Az3.@.^.A.3.@5[.Az3.@5[.A}3.@n3.@.3.@.].Ao3.@.]u@o3.@.].Ao3.@Richn3.@........................PE..L......e..............................I...........@...........................J.....j.....@.................................Vp..j....`......................X.I...............................I..................................................... . .P..........................@....rsrc........`......................@....idata .....p......................@... ..).........................@...cpdfasyf.P...p0..N..................@...thtvckdy......I......:..............@....taggant.0....I.."...>..............@...................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\cred64[1].dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1285632
                                                                                                                                                                                                                                                        Entropy (8bit):6.460494158653329
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24576:IvkQL6YY4wMPSYZofkf0Gh6Pi41+a9uyP5dggky+yC7:IsMPSYcS5wPi095Pbg9y
                                                                                                                                                                                                                                                        MD5:15A42D3E4579DA615A384C717AB2109B
                                                                                                                                                                                                                                                        SHA1:22AEEDEB2307B1370CDAB70D6A6B6D2C13AD2301
                                                                                                                                                                                                                                                        SHA-256:3C97BB410E49B11AF8116FEB7240B7101E1967CAE7538418C45C3D2E072E8103
                                                                                                                                                                                                                                                        SHA-512:1EB7F126DCCC88A2479E3818C36120F5AF3CAA0D632B9EA803485EE6531D6E2A1FD0805B1C4364983D280DF23EA5CA3AD4A5FCA558AC436EFAE36AF9B795C444
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\cred64[1].dll, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^.._...^.._...^.._2..^W._..^W._...^W._...^.._...^...^C..^.._...^.._...^..X^...^.._...^Rich...^........................PE..d...i..e.........." .........R......h........................................P............`......................................... ...X...x........ .......`..(............0..........p........................... ................................................text............................... ..`.rdata..............................@..@.data...L........D..................@....pdata..(....`......................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\swiiii[1].exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):162304
                                                                                                                                                                                                                                                        Entropy (8bit):7.967195699444992
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:I1lmOH349skOxH49PsH+8KqnuHV7A/5S+c6wABA47PN/6wHFHJ:I1iekOxYlI+EuH2cvAe4BywlH
                                                                                                                                                                                                                                                        MD5:586F7FECACD49ADAB650FAE36E2DB994
                                                                                                                                                                                                                                                        SHA1:35D9FB512A8161CE867812633F0A43B042F9A5E6
                                                                                                                                                                                                                                                        SHA-256:CF88D499C83DA613AD5CCD8805822901BDC3A12EB9B15804AEFF8C53DC05FC4E
                                                                                                                                                                                                                                                        SHA-512:A44A2C99D18509681505CF70A251BAF2558030A8648D9C621ACC72FAFCB2F744E3EF664DFD0229BAF7C78FB72E69F5D644C755DED4060DCAFA7F711D70E94772
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....G..........."...0..p...........4... ........@.. ....................................`.................................74..O....................................3..8............................................ ............... ..H............text...Po... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B................k4......H........$.................................................................]*....0............i.s........+...o.......X.... ....2..o.......o........8.........-N....d....(......(....&s..........o.........o...........o....r...p(.....3....+.s....%.o....%.o....%.o....%.o....%.o....%.o....%.Lo....%.o....%.o....%.o....%o.....Yo.........+........(...........o....+....2...X.. ....?........+<. ....... ...............XX.. ....].......................X.. ....2........8.......+w..X ....].

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\Startup[1].exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):3430912
                                                                                                                                                                                                                                                        Entropy (8bit):7.837683418406003
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:98304:Y/gORUJOUyQBOrgJedw0H+GSYq8dG+zMJ:Y/+J69gKw0e1Yq+P
                                                                                                                                                                                                                                                        MD5:76EAE6EF736073145D6C06D981615FF9
                                                                                                                                                                                                                                                        SHA1:6612A26D5DB4A6A745FED7518EC93A1121FFFD9C
                                                                                                                                                                                                                                                        SHA-256:3ACDEA11112584CD1F78DA03F6AF5CFC0F883309FC5EC552FA6B9C85A6C483BB
                                                                                                                                                                                                                                                        SHA-512:E7C118BBE9F62D5834B374E05242636B32DAAB2C1FE607521D6E78520665C59F78637B74C85D171F8608E255BE50731771F0A09DCCA69E016B281EE02AB77231
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.................R4.............. ....@...... ........................4...........`...@......@............... ................................4.`............................................................................................ ..H............text....Q4.. ...R4................. ..`.rsrc...`.....4......T4.............@..@........................................H........i..t.......C...X~....+..........................................*...(....*...(....*.0../....... ........8........E&.......S...................u.......v...........................}...o...........A...a...B.......h.......4...........-...U...........`.......................8.....8i...8]...8.... ....~....{....9:...& ....8/.....~....`..... ....~....{2...9....& ....8....8S... %...8...... .t}E..Y..Xffeefeffeefa.. ....8....8.... ....~....{....:....& ....8....~......X..... ....8....8F

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1793536
                                                                                                                                                                                                                                                        Entropy (8bit):7.937675203377117
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:49152:L/eYUVc8uWw3Sg6s8Zep6UXIEgf7WD4GTF:L/eYUW8bwUaPXVgzWMG
                                                                                                                                                                                                                                                        MD5:85A15F080B09ACACE350AB30460C8996
                                                                                                                                                                                                                                                        SHA1:3FC515E60E4CFA5B3321F04A96C7FB463E4B9D02
                                                                                                                                                                                                                                                        SHA-256:3A2006BC835A8FFE91B9EE9206F630B3172F42E090F4E8D90BE620E540F5EF6B
                                                                                                                                                                                                                                                        SHA-512:ADE5E3531DFA1A01E6C2A69DEB2962CBF619E766DA3D6E8E3453F70FF55CCBCBE21381C7B97A53D67E1CA88975F4409B1A42A759E18F806171D29E4C3F250E9F
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\alexxxxxxxx[1].exe, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.................T..........Nr... ........@.. ....................................`..................................r..K.......D............................q............................................... ............... ..H............text...TR... ...T.................. ..`.rsrc...D............V..............@..@.reloc...............\..............@..B................0r......H........w..x...........$....&...........................................0..j.......~....:_.........~....(.... .... .... ....s....~....(............~....(....~....(.... ....?....r...ps....z*...(....*..0..$.........r...p......~....(....~....(......*...]*....0................s.........}.......i..... .......... ...............&........}....8......{.......d.....~....(................{....~....(....s.........o.......o.......o.......o.......o............{....o........:............s

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):112128
                                                                                                                                                                                                                                                        Entropy (8bit):6.400356358225577
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:D4uSD+ZwruS0bGYuZRtasSVh/QEIegRQod4l:kuTiabruZR8JSlD4l
                                                                                                                                                                                                                                                        MD5:154C3F1334DD435F562672F2664FEA6B
                                                                                                                                                                                                                                                        SHA1:51DD25E2BA98B8546DE163B8F26E2972A90C2C79
                                                                                                                                                                                                                                                        SHA-256:5F431129F97F3D56929F1E5584819E091BD6C854D7E18503074737FC6D79E33F
                                                                                                                                                                                                                                                        SHA-512:1BCA69BBCDB7ECD418769E9D4BEFC458F9F8E3CEE81FEB7316BB61E189E2904F4431E4CC7D291E179A5DEC441B959D428D8E433F579036F763BBAD6460222841
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\clip64[1].dll, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.j.c.j.c.j.8.i.i.j.8.o..j.8.n.q.j..n.l.j..i.r.j..o.B.j.8.k.d.j.c.k...j...c.`.j...j.b.j.....b.j...h.b.j.Richc.j.........................PE..L......e...........!.....$...........f.......@............................................@......................... ...........P.......................................8...........................(...@............@..L............................text...6#.......$.................. ..`.rdata..4i...@...j...(..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\random[1].exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1166336
                                                                                                                                                                                                                                                        Entropy (8bit):7.03557592174814
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24576:jqDEvCTbMWu7rQYlBQcBiT6rprG8aug2+b+HdiJUX:jTvC/MTQYxsWR7aug2+b+HoJU
                                                                                                                                                                                                                                                        MD5:34491075D86DBE293DDD347B8F89F590
                                                                                                                                                                                                                                                        SHA1:719AF6894F47B758D0FF6F4BC631B87D23137189
                                                                                                                                                                                                                                                        SHA-256:640D4A2269BDF5646E1467E04DAEE675CDA4EA612BCAB999F67CA299D784D1C5
                                                                                                                                                                                                                                                        SHA-512:F005018E5477AF254BD4D77D37F7185AC9C1C18A5C236709C2AA20242C1693F370DF9B4DF1B98667096BC904E20E65259E01C2EEB7B871D707D35E813459BCBB
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...`.!f..........".................w.............@..........................0......~.....@...@.......@.....................d...|....@..|a.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...|a...@...b..................@..@.reloc...u.......v...V..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\file300un[1].exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):573392
                                                                                                                                                                                                                                                        Entropy (8bit):7.626990187920221
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12288:yi/BY1Np6gS4GerR72nfELsEtYi19W5I3v/CgeX:yGY5dr2RECW9II/uX
                                                                                                                                                                                                                                                        MD5:9EE0C556E1B952495A74709E6B06459A
                                                                                                                                                                                                                                                        SHA1:1B631E41B43D6F7EF3F7D140C1EB14ECF1CD861D
                                                                                                                                                                                                                                                        SHA-256:0E236536F9FC793BE5F2E276555817D0BB9206E9D56904BC509188BC42515129
                                                                                                                                                                                                                                                        SHA-512:1EC91C9E0AB4E359BE73677F81150922ED06FC58E621E2115D4C607AFB94DBF69A8362DB14A531FF6ABA69B1DC8E3CD2A0AA0BA626320CAA9C250060BBE44558
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 46%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."...0.L................ ....@...... .......................`............`..........................................................@.............................................................................................. ..H............text...L.... ...................... ..`.rsrc........@......................@..@........................................H.......t...21..........................................................&...#...'...................................................#............................................................... ...#...&...'...(...*...,...*.......................H............... .................(....*:.(......}....*..(....*..(....*^.(.....(....o....}S...*..(.....-.r_..ps....z..o....}S...*.(....s....*...~T...-.(....s.......T.....~T...*:.(......}U...*..(.....-.r_..ps....z..o....}U...*..-.r...ps....z

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\gold[1].exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):500224
                                                                                                                                                                                                                                                        Entropy (8bit):7.67978044253844
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12288:QDJ6PRDB7ZUl9F4SWieS/KSvMjnfyiDD+9CBqeE:QV6hpZU/7b/KSkjbDTH
                                                                                                                                                                                                                                                        MD5:82053649CADEC1A338509E46BA776FBD
                                                                                                                                                                                                                                                        SHA1:6D8E479A6DC76D54109BB2E602B8087D55537510
                                                                                                                                                                                                                                                        SHA-256:30468F8B767772214C60A701ECFEE11C634516C3E2DE146CD07638EA00DD0B6E
                                                                                                                                                                                                                                                        SHA-512:E4B2B219483477A73FEC5A207012F77C7167BF7B7F9ADCB80EE92F87DDFE592A0D520F2AFEE531D1CCE926EF56DA2B065B13630A1CC171F48DB8F7987E10897A
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 34%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........OW.h.W.h.W.h...k.[.h...m...h...l.B.h..tl.E.h..tk.C.h...i.R.h.W.i...h..tm...h..wa.V.h..wj.V.h.RichW.h.........PE..L....#!f...............'............._....... ....@.......................................@.....................................<................................................................... ...@............ ..H............................text............................... ..`.rdata....... ......................@..@.data... ...........................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\jok[1].exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):311296
                                                                                                                                                                                                                                                        Entropy (8bit):5.0817932970004
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:uq6EgY6i4rUjhYMLwPcologL/ejZWTACtAti0lcZqf7D34leqiOLibBOp:VqY6inwPDpKZWTA+AplcZqf7DIvL
                                                                                                                                                                                                                                                        MD5:8510BCF5BC264C70180ABE78298E4D5B
                                                                                                                                                                                                                                                        SHA1:2C3A2A85D129B0D750ED146D1D4E4D6274623E28
                                                                                                                                                                                                                                                        SHA-256:096220045877E456EDFEA1ADCD5BF1EFD332665EF073C6D1E9474C84CA5433F6
                                                                                                                                                                                                                                                        SHA-512:5FF0A47F9E14E22FC76D41910B2986605376605913173D8AD83D29D85EB79B679459E2723A6AD17BC3C3B8C9B359E2BE7348EE1C21FA2E8CEB7CC9220515258D
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\jok[1].exe, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 74%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)v................0................. ... ....@.. ....................... ............@.................................t...O.... ..............................X................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\random[1].exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):2310656
                                                                                                                                                                                                                                                        Entropy (8bit):7.95158059421594
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:49152:SeF1xn14/3wSmwAkB8FZOGlapkS7lHVdv1m8dhu7EmtpeJb8oVU:/1xn1nSmwAY8FPlC5H/vYWg7nSIUU
                                                                                                                                                                                                                                                        MD5:FDA558788F4A8C86423D97EE694671FC
                                                                                                                                                                                                                                                        SHA1:6E211175DD2CB84BE39EE42D1D9CFFD8D88EE4B1
                                                                                                                                                                                                                                                        SHA-256:A17926575BF705C38D2D8076B379DFCDC937BCF4C1EE149F1B119DAF0FC2AA6C
                                                                                                                                                                                                                                                        SHA-512:F2AC10F0982A66A71155F03B91BC979ADF726AE423B3CBAC0A8B578E3808FDEA0B75F0A88037DAB8B0492A5EB1AF808C881FA7ECA5AA6D7E945074A6992B664D
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......P.....t...t...t._.w...t._.q...t._.s...t.......t...p...t...w...t...q.O.t._.p...t._.r...t._.u...t...u.4.t..|}...t..|t...t..|....t......t..|v...t.Rich..t.........PE..L......f...............'.4...2........X......P....@...........................X.......#...@...........................X.L...m........P.......................X.............................\.X.............................t...@................... . .@.......>..................@....rsrc.......P.......N..............@....idata ............................@... .0*.. ......................@...ylghxgim.p...P?..l..................@...rirxhfbq......X......@#.............@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\amadka[1].exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):3034624
                                                                                                                                                                                                                                                        Entropy (8bit):6.549382157838926
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:49152:O7yhKtnwpmRei5FHEdkjqM6tUi2jIILqdYhfdIAcax:O7yhKqEeizHEdkuM6tUhTOU6ANx
                                                                                                                                                                                                                                                        MD5:A599E020F718CF8C8F2C4CBC4DD53A20
                                                                                                                                                                                                                                                        SHA1:204471DFBE8595643042F780F6A41E11AF6933D6
                                                                                                                                                                                                                                                        SHA-256:624F4D882C679941AE0FBEDD47554D2DD8419C3D5E6492D020B004719C164974
                                                                                                                                                                                                                                                        SHA-512:60F1A2C7F46D15A9F533940A5C14B2ADAF5A90343CBE7536D3C1EB773D612B0F272322F8F78BA2475E5B183364B0719B5037460C9757E2AAD661128EA98DEF2D
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 39%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L...o..e..............................1...... ....@.......................... 2...........@.................................V...j...........................0.1...............................1..................................................... . ............................@....rsrc...............................@....idata ............................@...mbzyibtj.0+......*+.................@...snnxyswc......1......(..............@....taggant.0....1.."...,..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\build_1GyXIDXRUC[1].exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):215152
                                                                                                                                                                                                                                                        Entropy (8bit):7.4188328050455254
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6144:gQtdqzqv7rArb/LoEyavuW6uqQqNW14pv:gQtdqWk/LDmQqQqK4pv
                                                                                                                                                                                                                                                        MD5:51B0ED6B4908A21E5CC1D9EC7C046040
                                                                                                                                                                                                                                                        SHA1:D874F6DA7327B2F1B3ACE5E66BC763C557AC382E
                                                                                                                                                                                                                                                        SHA-256:4E68C5A537320CBE88842A53E5691B7F1A590B9C0B491A12BAAEEDA111DCAA4D
                                                                                                                                                                                                                                                        SHA-512:48EC96B209D7061A1276496FEB250CF183891B950465D3A916C999AA1EFC1C8831B068CE0FCE4CE21D09677F945B3D816ED4040146462A0CE0845318041586A2
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.N.-.N.-.N.-.....D.-...(..-...).Z.-..$(.h.-..$).\.-..$..\.-...,.K.-.N.,...-..'$.O.-..'.O.-..'/.O.-.RichN.-.........................PE..L.... f...............'.,..........s........@....@..........................`............@.................................D...<....0..............."..p&...@..$......................................@............@..(............................text...^*.......,.................. ..`.rdata...j...@...l...0..............@..@.data...Dz.......r..................@....rsrc........0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\clip64[1].dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):112128
                                                                                                                                                                                                                                                        Entropy (8bit):6.400158525810517
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:Q3uSD+ZwruS0bGcuZRt2sSZV/Q3IegRQod4l:AuTiabHuZRAFtlD4l
                                                                                                                                                                                                                                                        MD5:726CD06231883A159EC1CE28DD538699
                                                                                                                                                                                                                                                        SHA1:404897E6A133D255AD5A9C26AC6414D7134285A2
                                                                                                                                                                                                                                                        SHA-256:12FEF2D5995D671EC0E91BDBDC91E2B0D3C90ED3A8B2B13DDAA8AD64727DCD46
                                                                                                                                                                                                                                                        SHA-512:9EA82E7CB6C6A58446BD5033855947C3E2D475D2910F2B941235E0B96AA08EEC822D2DD17CC86B2D3FCE930F78B799291992408E309A6C63E3011266810EA83E
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\clip64[1].dll, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\clip64[1].dll, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.j.c.j.c.j.8.i.i.j.8.o..j.8.n.q.j..n.l.j..i.r.j..o.B.j.8.k.d.j.c.k...j...c.`.j...j.b.j.....b.j...h.b.j.Richc.j.........................PE..L...j..e...........!.....$...........f.......@............................................@......................... ...........P.......................................8...........................(...@............@..L............................text...6#.......$.................. ..`.rdata..4i...@...j...(..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1285632
                                                                                                                                                                                                                                                        Entropy (8bit):6.460276790319054
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24576:2vkQL6YY4wMPSYZofkf0Gh6Pi41+a9uyP5dggv4+yC7:2sMPSYcS5wPi095PbgS4
                                                                                                                                                                                                                                                        MD5:F35B671FDA2603EC30ACE10946F11A90
                                                                                                                                                                                                                                                        SHA1:059AD6B06559D4DB581B1879E709F32F80850872
                                                                                                                                                                                                                                                        SHA-256:83E3DF5BEC15D5333935BEA8B719A6D677E2FB3DC1CF9E18E7B82FD0438285C7
                                                                                                                                                                                                                                                        SHA-512:B5FA27D08C64727CEF7FDDA5E68054A4359CD697DF50D70D1D90DA583195959A139066A6214531BBC5F20CD4F9BC1CA3E4244396547381291A6A1D2DF9CF8705
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\cred64[1].dll, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^.._...^.._...^.._2..^W._..^W._...^W._...^.._...^...^C..^.._...^.._...^..X^...^.._...^Rich...^........................PE..d......e.........." .........R......h........................................P............`......................................... ...X...x........ .......`..(............0..........p........................... ................................................text............................... ..`.rdata..............................@..@.data...L........D..................@....pdata..(....`......................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\sarra[1].exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):2307072
                                                                                                                                                                                                                                                        Entropy (8bit):7.952865423483912
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:49152:8eF1xn14Ni5PKHjj2jXqQQKZlPiSTcex+tGFU:l1xn15PPXqQQKZlT6IFU
                                                                                                                                                                                                                                                        MD5:05920069E39B7A43C6BE22A3D7A88DB4
                                                                                                                                                                                                                                                        SHA1:ED9CB87300C570F3F0A84C780FA33CE073E6208B
                                                                                                                                                                                                                                                        SHA-256:5BA39356C240822BFAD83FFCD38B0D9D4E9AABBCD7DE702030AC3CE71A62548C
                                                                                                                                                                                                                                                        SHA-512:8837782BC1FF599BE56D3E789F7DAECE0118A27DAC7E0E65B729978A47206CDDBB01A8DBCF4BC8285AA5E71EFC61FE5FFB1335B69AB77AA0144780CD6C802E02
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......P.....t...t...t._.w...t._.q...t._.s...t.......t...p...t...w...t...q.O.t._.p...t._.r...t._.u...t...u.4.t..|}...t..|t...t..|....t......t..|v...t.Rich..t.........PE..L......f...............'.4...H.......pX......P....@...........................X......7#...@..........................W.L...^...r....P.......................W...............................W.............................t...@................... . .@.......>..................@....rsrc........P.......N..............@....idata ............................@... ..).. ......................@...wmoofkkg.`....?..^..................@...sgbeqrzx.....pX......0#.............@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\RCIIZOAM\swiiiii[1].exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):329352
                                                                                                                                                                                                                                                        Entropy (8bit):7.976897467568528
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6144:DFZcMaQk5oqtag00+wX3bSJxuI2Hc8PlsLNuPhRF1Ym:DFZg5Ztj00+03mJxmc8PfPwm
                                                                                                                                                                                                                                                        MD5:1C7D0F34BB1D85B5D2C01367CC8F62EF
                                                                                                                                                                                                                                                        SHA1:33AEDADB5361F1646CFFD68791D72BA5F1424114
                                                                                                                                                                                                                                                        SHA-256:E9E09C5E5D03D21FCA820BD9B0A0EA7B86AB9E85CDC9996F8F1DC822B0CC801C
                                                                                                                                                                                                                                                        SHA-512:53BF85D2B004F69BBBF7B6DC78E5F021ABA71B6F814101C55D3BF76E6D058A973BC58270B6B621B2100C6E02D382F568D1E96024464E8EA81E6DB8CCD948679D
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]h.f................................. ........@.. ....................... .......b....`.................................L...O.......:................N........................................................... ............... ..H............text........ ...................... ..`.rsrc...:...........................@..@.reloc..............................@..B........................H........................................................................0..........r...p.*..(....*..0..........rg..p.*..(....*...]*.0..\.........i.s........+...o.......X.... ....2..o.......o........8.........-X....d....(......(....&s..........o......o.....1......o...........o....r...po.....3....+.s.........o.......o.......o.......o.......o.......o.......Lo.......o.......o...........o........o.....Yo.........+........(...........o....+....2...X.. ....?........+A..... ........

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1504
                                                                                                                                                                                                                                                        Entropy (8bit):5.274826074581965
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:3xSKco4KmBs4RPT6BmFoUe7u1omjKcm9qr9t7J0gt/NKmNUNEr8H0UMem:BSU4y4RQmFoUeCamfm9qr9tK8NfUNEIa
                                                                                                                                                                                                                                                        MD5:2D9F053F15E277FBDF0DC512648E1C41
                                                                                                                                                                                                                                                        SHA1:B4AFA34FA178947357BEAEC124CBB68DC6CD1B26
                                                                                                                                                                                                                                                        SHA-256:9910FCD7442310F9B024BB282BF00D78E2DC6692001DB9A6F1A01BE15F7C9D29
                                                                                                                                                                                                                                                        SHA-512:93451C6E917C8CF544CEE49854C0FB40BC24C8A8A50A897E2201E6755E584DE7CCDA8889347B95C573050F0D4ADD139716E905C9A52CDF51B4C04BE7EE89D6D0
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:@...e...........4.....................&..............@..........@...............|.jdY\.H.s9.!..|4.......System.IO.Compression...H...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.................0..~.J.R...L........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Commands.Utility...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):2310656
                                                                                                                                                                                                                                                        Entropy (8bit):7.95158059421594
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:49152:SeF1xn14/3wSmwAkB8FZOGlapkS7lHVdv1m8dhu7EmtpeJb8oVU:/1xn1nSmwAY8FPlC5H/vYWg7nSIUU
                                                                                                                                                                                                                                                        MD5:FDA558788F4A8C86423D97EE694671FC
                                                                                                                                                                                                                                                        SHA1:6E211175DD2CB84BE39EE42D1D9CFFD8D88EE4B1
                                                                                                                                                                                                                                                        SHA-256:A17926575BF705C38D2D8076B379DFCDC937BCF4C1EE149F1B119DAF0FC2AA6C
                                                                                                                                                                                                                                                        SHA-512:F2AC10F0982A66A71155F03B91BC979ADF726AE423B3CBAC0A8B578E3808FDEA0B75F0A88037DAB8B0492A5EB1AF808C881FA7ECA5AA6D7E945074A6992B664D
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......P.....t...t...t._.w...t._.q...t._.s...t.......t...p...t...w...t...q.O.t._.p...t._.r...t._.u...t...u.4.t..|}...t..|t...t..|....t......t..|v...t.Rich..t.........PE..L......f...............'.4...2........X......P....@...........................X.......#...@...........................X.L...m........P.......................X.............................\.X.............................t...@................... . .@.......>..................@....rsrc.......P.......N..............@....idata ............................@... .0*.. ......................@...ylghxgim.p...P?..l..................@...rirxhfbq......X......@#.............@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\tA6etkt3gb.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):3034624
                                                                                                                                                                                                                                                        Entropy (8bit):6.549382157838926
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:49152:O7yhKtnwpmRei5FHEdkjqM6tUi2jIILqdYhfdIAcax:O7yhKqEeizHEdkuM6tUhTOU6ANx
                                                                                                                                                                                                                                                        MD5:A599E020F718CF8C8F2C4CBC4DD53A20
                                                                                                                                                                                                                                                        SHA1:204471DFBE8595643042F780F6A41E11AF6933D6
                                                                                                                                                                                                                                                        SHA-256:624F4D882C679941AE0FBEDD47554D2DD8419C3D5E6492D020B004719C164974
                                                                                                                                                                                                                                                        SHA-512:60F1A2C7F46D15A9F533940A5C14B2ADAF5A90343CBE7536D3C1EB773D612B0F272322F8F78BA2475E5B183364B0719B5037460C9757E2AAD661128EA98DEF2D
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 39%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L...o..e..............................1...... ....@.......................... 2...........@.................................V...j...........................0.1...............................1..................................................... . ............................@....rsrc...............................@....idata ............................@...mbzyibtj.0+......*+.................@...snnxyswc......1......(..............@....taggant.0....1.."...,..............@...........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe:Zone.Identifier

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\tA6etkt3gb.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                                        Size (bytes):26
                                                                                                                                                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:ggPYV:rPYV
                                                                                                                                                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000054001\amert.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1859584
                                                                                                                                                                                                                                                        Entropy (8bit):7.9540481541761885
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:49152:ljB6fba59ftmNE+uXoiR9xzTy0rt80KhKTD+qf:labsfg2rFCYLHD
                                                                                                                                                                                                                                                        MD5:47786A32E7A47031EE41BD1C2EE24B39
                                                                                                                                                                                                                                                        SHA1:ED6D9E21E9822911E4684CBBC809921CD61202F1
                                                                                                                                                                                                                                                        SHA-256:CC2A29B7284E685872510FD59383F4BF78C04FAF8A0A1EB82375EA78DBCBEA61
                                                                                                                                                                                                                                                        SHA-512:CD844182B4C9479DDBE3E32975ACA1858EACAF4ED398A24DAA9B886DC362FB911E42BAB7679AE242FC594B005DD335F89109329ED731D82C5A7CD5B25FC2FE9B
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*R..n3.@n3.@n3.@5[.A`3.@5[.A.3.@.^.A|3.@.^.Az3.@.^.A.3.@5[.Az3.@5[.A}3.@n3.@.3.@.].Ao3.@.]u@o3.@.].Ao3.@Richn3.@........................PE..L......e..............................I...........@...........................J.....j.....@.................................Vp..j....`......................X.I...............................I..................................................... . .P..........................@....rsrc........`......................@....idata .....p......................@... ..).........................@...cpdfasyf.P...p0..N..................@...thtvckdy......I......:..............@....taggant.0....I.."...>..............@...................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1166336
                                                                                                                                                                                                                                                        Entropy (8bit):7.03557592174814
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24576:jqDEvCTbMWu7rQYlBQcBiT6rprG8aug2+b+HdiJUX:jTvC/MTQYxsWR7aug2+b+HoJU
                                                                                                                                                                                                                                                        MD5:34491075D86DBE293DDD347B8F89F590
                                                                                                                                                                                                                                                        SHA1:719AF6894F47B758D0FF6F4BC631B87D23137189
                                                                                                                                                                                                                                                        SHA-256:640D4A2269BDF5646E1467E04DAEE675CDA4EA612BCAB999F67CA299D784D1C5
                                                                                                                                                                                                                                                        SHA-512:F005018E5477AF254BD4D77D37F7185AC9C1C18A5C236709C2AA20242C1693F370DF9B4DF1B98667096BC904E20E65259E01C2EEB7B871D707D35E813459BCBB
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...`.!f..........".................w.............@..........................0......~.....@...@.......@.....................d...|....@..|a.......................u...........................4..........@............................................text............................... ..`.rdata..............................@..@.data...lp.......H..................@....rsrc...|a...@...b..................@..@.reloc...u.......v...V..............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):2310656
                                                                                                                                                                                                                                                        Entropy (8bit):7.95158059421594
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:49152:SeF1xn14/3wSmwAkB8FZOGlapkS7lHVdv1m8dhu7EmtpeJb8oVU:/1xn1nSmwAY8FPlC5H/vYWg7nSIUU
                                                                                                                                                                                                                                                        MD5:FDA558788F4A8C86423D97EE694671FC
                                                                                                                                                                                                                                                        SHA1:6E211175DD2CB84BE39EE42D1D9CFFD8D88EE4B1
                                                                                                                                                                                                                                                        SHA-256:A17926575BF705C38D2D8076B379DFCDC937BCF4C1EE149F1B119DAF0FC2AA6C
                                                                                                                                                                                                                                                        SHA-512:F2AC10F0982A66A71155F03B91BC979ADF726AE423B3CBAC0A8B578E3808FDEA0B75F0A88037DAB8B0492A5EB1AF808C881FA7ECA5AA6D7E945074A6992B664D
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......P.....t...t...t._.w...t._.q...t._.s...t.......t...p...t...w...t...q.O.t._.p...t._.r...t._.u...t...u.4.t..|}...t..|t...t..|....t......t..|v...t.Rich..t.........PE..L......f...............'.4...2........X......P....@...........................X.......#...@...........................X.L...m........P.......................X.............................\.X.............................t...@................... . .@.......>..................@....rsrc.......P.......N..............@....idata ............................@... .0*.. ......................@...ylghxgim.p...P?..l..................@...rirxhfbq......X......@#.............@...................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):329352
                                                                                                                                                                                                                                                        Entropy (8bit):7.976897467568528
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6144:DFZcMaQk5oqtag00+wX3bSJxuI2Hc8PlsLNuPhRF1Ym:DFZg5Ztj00+03mJxmc8PfPwm
                                                                                                                                                                                                                                                        MD5:1C7D0F34BB1D85B5D2C01367CC8F62EF
                                                                                                                                                                                                                                                        SHA1:33AEDADB5361F1646CFFD68791D72BA5F1424114
                                                                                                                                                                                                                                                        SHA-256:E9E09C5E5D03D21FCA820BD9B0A0EA7B86AB9E85CDC9996F8F1DC822B0CC801C
                                                                                                                                                                                                                                                        SHA-512:53BF85D2B004F69BBBF7B6DC78E5F021ABA71B6F814101C55D3BF76E6D058A973BC58270B6B621B2100C6E02D382F568D1E96024464E8EA81E6DB8CCD948679D
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...]h.f................................. ........@.. ....................... .......b....`.................................L...O.......:................N........................................................... ............... ..H............text........ ...................... ..`.rsrc...:...........................@..@.reloc..............................@..B........................H........................................................................0..........r...p.*..(....*..0..........rg..p.*..(....*...]*.0..\.........i.s........+...o.......X.... ....2..o.......o........8.........-X....d....(......(....&s..........o......o.....1......o...........o....r...po.....3....+.s.........o.......o.......o.......o.......o.......o.......Lo.......o.......o...........o........o.....Yo.........+........(...........o....+....2...X.. ....?........+A..... ........

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1793536
                                                                                                                                                                                                                                                        Entropy (8bit):7.937675203377117
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:49152:L/eYUVc8uWw3Sg6s8Zep6UXIEgf7WD4GTF:L/eYUW8bwUaPXVgzWMG
                                                                                                                                                                                                                                                        MD5:85A15F080B09ACACE350AB30460C8996
                                                                                                                                                                                                                                                        SHA1:3FC515E60E4CFA5B3321F04A96C7FB463E4B9D02
                                                                                                                                                                                                                                                        SHA-256:3A2006BC835A8FFE91B9EE9206F630B3172F42E090F4E8D90BE620E540F5EF6B
                                                                                                                                                                                                                                                        SHA-512:ADE5E3531DFA1A01E6C2A69DEB2962CBF619E766DA3D6E8E3453F70FF55CCBCBE21381C7B97A53D67E1CA88975F4409B1A42A759E18F806171D29E4C3F250E9F
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\1000148001\alexxxxxxxx.exe, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e.................T..........Nr... ........@.. ....................................`..................................r..K.......D............................q............................................... ............... ..H............text...TR... ...T.................. ..`.rsrc...D............V..............@..@.reloc...............\..............@..B................0r......H........w..x...........$....&...........................................0..j.......~....:_.........~....(.... .... .... ....s....~....(............~....(....~....(.... ....?....r...ps....z*...(....*..0..$.........r...p......~....(....~....(......*...]*....0................s.........}.......i..... .......... ...............&........}....8......{.......d.....~....(................{....~....(....s.........o.......o.......o.......o.......o............{....o........:............s

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000149001\gold.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):500224
                                                                                                                                                                                                                                                        Entropy (8bit):7.67978044253844
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12288:QDJ6PRDB7ZUl9F4SWieS/KSvMjnfyiDD+9CBqeE:QV6hpZU/7b/KSkjbDTH
                                                                                                                                                                                                                                                        MD5:82053649CADEC1A338509E46BA776FBD
                                                                                                                                                                                                                                                        SHA1:6D8E479A6DC76D54109BB2E602B8087D55537510
                                                                                                                                                                                                                                                        SHA-256:30468F8B767772214C60A701ECFEE11C634516C3E2DE146CD07638EA00DD0B6E
                                                                                                                                                                                                                                                        SHA-512:E4B2B219483477A73FEC5A207012F77C7167BF7B7F9ADCB80EE92F87DDFE592A0D520F2AFEE531D1CCE926EF56DA2B065B13630A1CC171F48DB8F7987E10897A
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 34%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........OW.h.W.h.W.h...k.[.h...m...h...l.B.h..tl.E.h..tk.C.h...i.R.h.W.i...h..tm...h..wa.V.h..wj.V.h.RichW.h.........PE..L....#!f...............'............._....... ....@.......................................@.....................................<................................................................... ...@............ ..H............................text............................... ..`.rdata....... ......................@..@.data... ...........................@....reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):428544
                                                                                                                                                                                                                                                        Entropy (8bit):6.494348537450964
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12288:5noAx+FnmuQhimtPURimLqevmipum+K4Y:5+FnmuGtpMLnLYY
                                                                                                                                                                                                                                                        MD5:0099A99F5FFB3C3AE78AF0084136FAB3
                                                                                                                                                                                                                                                        SHA1:0205A065728A9EC1133E8A372B1E3864DF776E8C
                                                                                                                                                                                                                                                        SHA-256:919AE827FF59FCBE3DBAEA9E62855A4D27690818189F696CFB5916A88C823226
                                                                                                                                                                                                                                                        SHA-512:5AC4F3265C7DD7D172284FB28C94F8FC6428C27853E70989F4EC4208F9897BE91720E8EEE1906D8E843AB05798F3279A12492A32E8A118F5621AC5E1BE2031B6
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Local\Temp\1000150001\NewB.exe, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 76%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wD..3%..3%..3%..hM..=%..hM...%..hM.. %...H..!%...H..'%...H..F%..hM.."%..3%...%...K..2%...Ko.2%...K..2%..Rich3%..........................PE..L.... Me..........................................@.......................................@.................................D...x....p...........................L..P...8...................,...........@............................................text............................... ..`.rdata..............................@..@.data....F... ...4..................@....rsrc........p.......:..............@..@.reloc...L.......N...<..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000152001\jok.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):311296
                                                                                                                                                                                                                                                        Entropy (8bit):5.0817932970004
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:uq6EgY6i4rUjhYMLwPcologL/ejZWTACtAti0lcZqf7D34leqiOLibBOp:VqY6inwPDpKZWTA+AplcZqf7DIvL
                                                                                                                                                                                                                                                        MD5:8510BCF5BC264C70180ABE78298E4D5B
                                                                                                                                                                                                                                                        SHA1:2C3A2A85D129B0D750ED146D1D4E4D6274623E28
                                                                                                                                                                                                                                                        SHA-256:096220045877E456EDFEA1ADCD5BF1EFD332665EF073C6D1E9474C84CA5433F6
                                                                                                                                                                                                                                                        SHA-512:5FF0A47F9E14E22FC76D41910B2986605376605913173D8AD83D29D85EB79B679459E2723A6AD17BC3C3B8C9B359E2BE7348EE1C21FA2E8CEB7CC9220515258D
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Temp\1000152001\jok.exe, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 74%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...)v................0................. ... ....@.. ....................... ............@.................................t...O.... ..............................X................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000153001\swiiii.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):162304
                                                                                                                                                                                                                                                        Entropy (8bit):7.967195699444992
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:I1lmOH349skOxH49PsH+8KqnuHV7A/5S+c6wABA47PN/6wHFHJ:I1iekOxYlI+EuH2cvAe4BywlH
                                                                                                                                                                                                                                                        MD5:586F7FECACD49ADAB650FAE36E2DB994
                                                                                                                                                                                                                                                        SHA1:35D9FB512A8161CE867812633F0A43B042F9A5E6
                                                                                                                                                                                                                                                        SHA-256:CF88D499C83DA613AD5CCD8805822901BDC3A12EB9B15804AEFF8C53DC05FC4E
                                                                                                                                                                                                                                                        SHA-512:A44A2C99D18509681505CF70A251BAF2558030A8648D9C621ACC72FAFCB2F744E3EF664DFD0229BAF7C78FB72E69F5D644C755DED4060DCAFA7F711D70E94772
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....G..........."...0..p...........4... ........@.. ....................................`.................................74..O....................................3..8............................................ ............... ..H............text...Po... ...p.................. ..`.rsrc................r..............@..@.reloc...............x..............@..B................k4......H........$.................................................................]*....0............i.s........+...o.......X.... ....2..o.......o........8.........-N....d....(......(....&s..........o.........o...........o....r...p(.....3....+.s....%.o....%.o....%.o....%.o....%.o....%.o....%.Lo....%.o....%.o....%.o....%o.....Yo.........+........(...........o....+....2...X.. ....?........+<. ....... ...............XX.. ....].......................X.. ....2........8.......+w..X ....].

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000167001\build_1GyXIDXRUC.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):215152
                                                                                                                                                                                                                                                        Entropy (8bit):7.4188328050455254
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6144:gQtdqzqv7rArb/LoEyavuW6uqQqNW14pv:gQtdqWk/LDmQqQqK4pv
                                                                                                                                                                                                                                                        MD5:51B0ED6B4908A21E5CC1D9EC7C046040
                                                                                                                                                                                                                                                        SHA1:D874F6DA7327B2F1B3ACE5E66BC763C557AC382E
                                                                                                                                                                                                                                                        SHA-256:4E68C5A537320CBE88842A53E5691B7F1A590B9C0B491A12BAAEEDA111DCAA4D
                                                                                                                                                                                                                                                        SHA-512:48EC96B209D7061A1276496FEB250CF183891B950465D3A916C999AA1EFC1C8831B068CE0FCE4CE21D09677F945B3D816ED4040146462A0CE0845318041586A2
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........C.N.-.N.-.N.-.....D.-...(..-...).Z.-..$(.h.-..$).\.-..$..\.-...,.K.-.N.,...-..'$.O.-..'.O.-..'/.O.-.RichN.-.........................PE..L.... f...............'.,..........s........@....@..........................`............@.................................D...<....0..............."..p&...@..$......................................@............@..(............................text...^*.......,.................. ..`.rdata...j...@...l...0..............@..@.data...Dz.......r..................@....rsrc........0......................@..@.reloc..$....@......................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000173001\Startup.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):3430912
                                                                                                                                                                                                                                                        Entropy (8bit):7.837683418406003
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:98304:Y/gORUJOUyQBOrgJedw0H+GSYq8dG+zMJ:Y/+J69gKw0e1Yq+P
                                                                                                                                                                                                                                                        MD5:76EAE6EF736073145D6C06D981615FF9
                                                                                                                                                                                                                                                        SHA1:6612A26D5DB4A6A745FED7518EC93A1121FFFD9C
                                                                                                                                                                                                                                                        SHA-256:3ACDEA11112584CD1F78DA03F6AF5CFC0F883309FC5EC552FA6B9C85A6C483BB
                                                                                                                                                                                                                                                        SHA-512:E7C118BBE9F62D5834B374E05242636B32DAAB2C1FE607521D6E78520665C59F78637B74C85D171F8608E255BE50731771F0A09DCCA69E016B281EE02AB77231
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.................R4.............. ....@...... ........................4...........`...@......@............... ................................4.`............................................................................................ ..H............text....Q4.. ...R4................. ..`.rsrc...`.....4......T4.............@..@........................................H........i..t.......C...X~....+..........................................*...(....*...(....*.0../....... ........8........E&.......S...................u.......v...........................}...o...........A...a...B.......h.......4...........-...U...........`.......................8.....8i...8]...8.... ....~....{....9:...& ....8/.....~....`..... ....~....{2...9....& ....8....8S... %...8...... .t}E..Y..Xffeefeffeefa.. ....8....8.... ....~....{....:....& ....8....~......X..... ....8....8F

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\1000181001\file300un.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):573392
                                                                                                                                                                                                                                                        Entropy (8bit):7.626990187920221
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12288:yi/BY1Np6gS4GerR72nfELsEtYi19W5I3v/CgeX:yGY5dr2RECW9II/uX
                                                                                                                                                                                                                                                        MD5:9EE0C556E1B952495A74709E6B06459A
                                                                                                                                                                                                                                                        SHA1:1B631E41B43D6F7EF3F7D140C1EB14ECF1CD861D
                                                                                                                                                                                                                                                        SHA-256:0E236536F9FC793BE5F2E276555817D0BB9206E9D56904BC509188BC42515129
                                                                                                                                                                                                                                                        SHA-512:1EC91C9E0AB4E359BE73677F81150922ED06FC58E621E2115D4C607AFB94DBF69A8362DB14A531FF6ABA69B1DC8E3CD2A0AA0BA626320CAA9C250060BBE44558
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 46%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......f.........."...0.L................ ....@...... .......................`............`..........................................................@.............................................................................................. ..H............text...L.... ...................... ..`.rsrc........@......................@..@........................................H.......t...21..........................................................&...#...'...................................................#............................................................... ...#...&...'...(...*...,...*.......................H............... .................(....*:.(......}....*..(....*..(....*^.(.....(....o....}S...*..(.....-.r_..ps....z..o....}S...*.(....s....*...~T...-.(....s.......T.....~T...*:.(......}U...*..(.....-.r_..ps....z..o....}U...*..-.r...ps....z

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):3082
                                                                                                                                                                                                                                                        Entropy (8bit):7.7411542385647225
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:d6IAzIcC/6IAzIcClN++3jkyFYQPvNQLwnq2cF6:dKjCPKjCltka9E+lQ6
                                                                                                                                                                                                                                                        MD5:9FC670CD567B6DB4870B91638FA6B7D4
                                                                                                                                                                                                                                                        SHA1:0F6E37320B9D0244C106281F4431DE203DC30DA3
                                                                                                                                                                                                                                                        SHA-256:5F1C55C7F27D1CAEB067AAB12AB3988D344FCA7CA95FC98DDEF6EC6763A5D554
                                                                                                                                                                                                                                                        SHA-512:3716557CD43DEEBFFDDA13084F4554440F0DD9009F81A6AACC9B46FBA6308C4CDCEB5E57C73FD2A013368BA75285BCE201DC9AC67CD675932759EEECE89EB5EE
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Preview:PK.........EEW..............._Files_\PIVFAGEAAV.docx..G.E!...#.C...d...d."d..E.b....|j...I.3...Q-]?.8.h.0.Y.#...9.0.:o..D.rH|F..T.T.e..~......I.uu.............s..k.#7.E.M5pV..wY;/!-.c.>ZQ....\..Xj.....-........1Uq.,}.L..Xd..;.k..j?t./9........U...aM...?.T.....0..D..3..`g....u.H...{.E.Xb..m../..[..g}..9.......pM9......D...k?(...]0#F..<z.....[...h.#kHyd...^...h.P....t.p...u)$?@.u.^.#.........W....uQY.P.8k..\<......Z.|.7FezU.|+z.n..$..;.k...Q.."....3.v~.a......$WmH.5.....[."r........*.....x.{..l...TL.j.h.=p.,.6wF.....8.]..e_R.).F.u..K./.u|*>.L.".H.gW...7......2.h.1k..A.-.;j...:........0w..[...W.gI+.^..Z..Vg..yQG...F.4o..........#...S..v..=&].j.(l..`..PK.........EEW..............._Files_\PIVFAGEAAV.xlsx..G.E!...#.C...d...d."d..E.b....|j...I.3...Q-]?.8.h.0.Y.#...9.0.:o..D.rH|F..T.T.e..~......I.uu.............s..k.#7.E.M5pV..wY;/!-.c.>ZQ....\..Xj.....-........1Uq.,}.L..Xd..;.k..j?t./9........U...aM...?.T.....0..D..3..`g....u.H...{.E.Xb..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\2kpfKwlB_SMWQoOpeV00Wxp.zip

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):2990
                                                                                                                                                                                                                                                        Entropy (8bit):7.737909770330383
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:9xa7XZV//QWGPvcmvNtF0KL8OKnUSKWc8Nx8T78fuRbKc4n3KJ6RkyOSiw:eZV//Q1vc+XF0KL3shKv8Ni7jROc43Ko
                                                                                                                                                                                                                                                        MD5:6DF7E8B2273C42C6CEA3BF6C4EF36F72
                                                                                                                                                                                                                                                        SHA1:8E375D0FF0C1FC47FD2B9A13E6172C92C52E9150
                                                                                                                                                                                                                                                        SHA-256:8417C5D7A8A002F9A5749B8841594F273B3D631B8A54BF6DEF4C82D9E79684EE
                                                                                                                                                                                                                                                        SHA-512:A8D615D0E7DEF699DDD3CE4CD872D1AC2F798F26341BC9F2092EE1AA3738AA5311AE89C76BA675DB4A4FD6AFC9D40F0C58C0C614604D747FD72301BE623A4359
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\2kpfKwlB_SMWQoOpeV00Wxp.zip, Author: Joe Security
                                                                                                                                                                                                                                                        Preview:PK...........X................Cookies\..PK...........XA.`%............Cookies\Chrome_Default.txt....@.........i.&h.Cn..L...\.FA@.~..v7..O...%!es.f..../S..a...@.,ek.%.H......</<2..,...I..w......1q.f.F+PiM.=h.5..2....0....O..u_.~}Z.UM........y...Rj..4H..D...xLY@....[.d.c&......G_............j%q%....Y.|.....P...u..u..85/..Z`...-..c...^A8n...Y.3......j.G!....c.....AM@!._W.yQbs.@.....h.y.-......|J..i...r....c....M...E...GS...C....X..C.U..v.%......C,.L0,......5.=....6.....PK...........X..E.3...........information.txt.YmO.:..^....~..m..v..B.;pg.......M...&U..sW...qZ^..#...?>....=^.Y2B..$...e.....a...{'..#tu.FG....(..6..QLy....in.NF(.......f...Y....aBfZ..,../..._.X....Ib3 .....h,....H...{.7.znf8..'2......QlE.[......S..xt7).Ei.Nosw>.29%..|..g......:IK..V..;./....;Z...oEl..+.\....._.C...Z...F..d.4.../.P.~..Q{.M/.......<....u]..,..Gh..H.x.Fh........Y...{.b.Z.D...9.0.x.no~\|.r.c:q.F...Vu...Ze....U..[].....P...3.bm.~.`|..}..f.)......|...=:..im..5..I.<D.>\j]....k.?.OM..d

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000054001\amert.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1859584
                                                                                                                                                                                                                                                        Entropy (8bit):7.9540481541761885
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:49152:ljB6fba59ftmNE+uXoiR9xzTy0rt80KhKTD+qf:labsfg2rFCYLHD
                                                                                                                                                                                                                                                        MD5:47786A32E7A47031EE41BD1C2EE24B39
                                                                                                                                                                                                                                                        SHA1:ED6D9E21E9822911E4684CBBC809921CD61202F1
                                                                                                                                                                                                                                                        SHA-256:CC2A29B7284E685872510FD59383F4BF78C04FAF8A0A1EB82375EA78DBCBEA61
                                                                                                                                                                                                                                                        SHA-512:CD844182B4C9479DDBE3E32975ACA1858EACAF4ED398A24DAA9B886DC362FB911E42BAB7679AE242FC594B005DD335F89109329ED731D82C5A7CD5B25FC2FE9B
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*R..n3.@n3.@n3.@5[.A`3.@5[.A.3.@.^.A|3.@.^.Az3.@.^.A.3.@5[.Az3.@5[.A}3.@n3.@.3.@.].Ao3.@.]u@o3.@.].Ao3.@Richn3.@........................PE..L......e..............................I...........@...........................J.....j.....@.................................Vp..j....`......................X.I...............................I..................................................... . .P..........................@....rsrc........`......................@....idata .....p......................@... ..).........................@...cpdfasyf.P...p0..N..................@...thtvckdy......I......:..............@....taggant.0....I.."...>..............@...................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\_Files_\PIVFAGEAAV.docx

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                                                                        Entropy (8bit):4.685942106278079
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
                                                                                                                                                                                                                                                        MD5:3F6896A097F6B0AE6A2BF3826C813DFC
                                                                                                                                                                                                                                                        SHA1:951214AB37DEA766005DD981B0B3D61F936B035B
                                                                                                                                                                                                                                                        SHA-256:E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
                                                                                                                                                                                                                                                        SHA-512:C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\_Files_\PIVFAGEAAV.xlsx

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                                                                        Entropy (8bit):4.685942106278079
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:e80g32tqxncx15PRgoZOZUxcz6oV0dh0dxiXMK:e87SH5Go0ZeuDufAiXMK
                                                                                                                                                                                                                                                        MD5:3F6896A097F6B0AE6A2BF3826C813DFC
                                                                                                                                                                                                                                                        SHA1:951214AB37DEA766005DD981B0B3D61F936B035B
                                                                                                                                                                                                                                                        SHA-256:E6E3A92151EEE0FCDF549A607AE9E421E9BB081D7B060015A60865E69A2A3D60
                                                                                                                                                                                                                                                        SHA-512:C7BD241F0E71DC29320CC051F649532FFF471B5E617B648CC495413587C06C236AFA4673A7BC77409E989260278CDEF49BDACA38BEB6AF65FEE74C563775B97C
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:PIVFAGEAAVVMYOKLIHAGVKQSIBRMIEBPKZHRSRYSYCTZASSEWGQLTFYPITGFBLIMOSZPCOYJLDMIKUYRMFZNOVAKNNFUFMFWAQZIZZSOHPUKTMEQKVMZGORRHHUAPAVEHNTRHFTCOWUQLMTXHFAASXNSJOMVEVZKIBTYUEOEAYWORCLXNWXMWVTCVFUJOOHJFVBTQGYSPLVNZVQAKYRWBXASIFOBPMFAPMAVEFPAYEVCHLKOVGMAFTDZYSFCRVFLUCDEZSALOPZIFCHRCOADKGTQMGRAQFQVFLPTIZCOVQGXVCITLOKGAEHQOUDVVLBLANQIWAMALJXSPVCLVLGENZFIFSPDTQOOAOXTRKMORBXQQUMCVCGJNJNIYGXUUXANSJRSROPOUDFHQHUUMMRXDQWLRABBQAZENYVIBHRRHTGWSIVVUQDLCOQYLVPAUFYYHGIERJJLVMIHLHHCCGHRLMANSNVNAYHLENOWUETBHLULUXLDUIUWHDTSBTXYABZUPEVNUTYDIYOWXZQQWZTIKHRACSWYILZGJJAYPXSWVAJEAMWRWUWIOONUGSOWTNWVILBTRYWXPSGGJYETTQICCTQMOORSZENPULBEQOBSNDWJHFGZOXAYRMRTCQAGZFKLTXQJCKKKJTXRIIVBYSWRFFSDWLAWEVZNFVJIYAKGOFIKGKPALYKLUSFUZNXBTTGJQARLJLEPNMUPZBHUFERZBUARRWLRQMAELUFJHXEPWKNEOUOFWRPCGUFYJEWTUPSXMLBAGQWILTIUMBXONDPOFUHNKJJKISPTLDQHMYGKSUZUEBYHKNHJUVSBOBSFQWTBGVEFNVAAKMXTORQQDIBVTWEQECBUJMCLMNPNRTKIKGQQLCBXEDYYHZALQNWVUKKTUNZMKPSISXIDNZZXVGUERMWOJYWVPNSTVVUORBONVDVVOSICVUMWTQLGBVUNLJTMTSZIJARQMRHCGASSVBBFIRIMTSICIANQBRVHJQBP

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\_Files_\SQSJKEBWDT.xlsx

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                                                                        Entropy (8bit):4.698473196318807
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:yRweZ+GANSA1E8ftV/VhmiY4WFk1Mu7mtKmj1KVVrsfmbG:abZ+X1E8lVNhmNA1P76KmxKamK
                                                                                                                                                                                                                                                        MD5:4D0D308F391353530363283961DF2C54
                                                                                                                                                                                                                                                        SHA1:59DC2A289D6AB91E0CBD287A0F1D47E29BAE0C07
                                                                                                                                                                                                                                                        SHA-256:6D4D77F7AD924168358F449E995C13B1072F06F7D8A464C232E643E2BD4DFF09
                                                                                                                                                                                                                                                        SHA-512:DBF8C59E10706B4E220A6F15ADF4E4BAC5271F9477A5C32F8C61943A0A9318D50AD1A2E00E2BDF49DBA842B603545C49F9C36698802B3CDFE1F51FEC0C214B7A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQSJKEBWDTQPYRJUMTXHILYOMMANPJPHHMRHFVWTZEPXAIAVKTSBZRYUTWHNFQIECJFXGKPUTVPJATJGMKUHXJODTESNRMMJTXWENSGOWPBKXVHEEJMAGWUGYELOFGDDMEXBMBPCQOZDIQJHWWTSSVNGZLVHCHBZNJSYUOTWAPZJKFXWFCXQUQCBQYKVYKKKLNXSSSSLGTAFUMEJNHNRUGIMMETQDZKJCJZPRVXTSJLLHAUIPPNLEBPEUBCKHAPQUFAGPBYQCGICNBXZSXWAJNTKCUOBGQDHMCHIJBTKFTHSCPEBQXTOJKUAWTWRXEPYUIVUBKOGJQVRNBCCKFIMUIRPTIPNOIKNYUBFQMLTBCEFKXWKFTLKOEFALEANNDBOMFEYCLJVLOGSDFYCVBHQLAHJAEUYVZUKKYJAFJZPGGRXWJYMLQJGLJJPLVWQZTEJZVFZAIXBTWSNPXWYEWJSPNEXNORNZGESIRMDWDAAOUYCCNJQHBKTFVBSDSYVEQCQSBURVVYQIWJIGTJQDEZYGUHFKDWPAZGTXJFCGXCCHSPAITPOYIKUIZLMXTHWETVEIEWMJFHZRXBWPEKERORJFPHCCESXPZRWMEWGFCALFMDGOIEYAUSWWMBCHUQFBDJAZGNOFCHHPWSPGMHXGUSYBEKNZGGOHLEYLHJOUACYWSDKSJOOWHEPLCCKEWYVGVDSYJISOXMVCTJOSETWHUFBVDRYYAHSNIHPIRACNMMCDXLNSSFMVYGREIDELWCRHNKSOHQZMWMXEQMSXGXGWJQEDVLZMOLCVOBDXALQOHTEQUQCXKBTZHLAPBTYYAAPCTPIOGNQTMUINQRWRUZPUNQRXBMEDXPKAFCNTHZHZNOSMHOZZDSRACZMUSFUZGUJWIHKQKPTYZQWGZAUVTCZBLLEBGRXXRHNYNRCEMXSYIJTSCGAJZWVATKNNHCIBGACCGABGJJVWJDJTYOTKQWITZPWLFTBKVEPEVHMSUDPVSVB

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\_Files_\SUAVTZKNFL.docx

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1024), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1026
                                                                                                                                                                                                                                                        Entropy (8bit):4.69422273140364
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:hdGRma8y0UOkmVb01yh9qfT+PsSMxto3vIcMhrzxYWSDHtj:hdGRma6bRh9rsFE/uhrOWSDHh
                                                                                                                                                                                                                                                        MD5:A686C2E2230002C3810CB3638589BF01
                                                                                                                                                                                                                                                        SHA1:4B764DD14070E52A2AC0458F401CDD5724E714FB
                                                                                                                                                                                                                                                        SHA-256:38F526D338AC47F7C2CAB7AB654A375C87E51CC56B4FA09A7C5769E2FB472FFC
                                                                                                                                                                                                                                                        SHA-512:1F2AA9D4B55B52C32EF0C88189256562B16DF13EEA0564BD7B47E45CC39279F39823033ADF95BBD9A50B4F35E417E418C4D20BBE14EF425EFF7134ECE05BEB3F
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SUAVTZKNFLPDUIKIPSQJDVGAPGXKDOHYHNOWHLTUYHUBPZNAGHXWSRGELNTTLWSOVKHBKQEKGENMQDFUYQEFPUMFVGFHNHBEYAAJVHSIYLSLGVZSSKYNEFOJGJXPWCGXOBRZVXDWDDKKLDGWVLNCMOJKBSBYFMTKILZOONEGLZWORUNOTXJNOTGXQTUBOXEFHVICNNYYHMRGCLTZLWQODATYJZBGFVEMSABDUIKNKVRGQOHHCSHZAJIYWZLGGZOOEOQBTEAFTXBQJIHRZBDRPFDGHVFGYZEIHFYVBPAXJYSLOTRVHEFEEWXUGJCOLFXEKSPFHBKQEHGPZADNNCAUYCTEDLFKZMZOQOADUCTDIOYKELVKGABHEMOSAYPWUUKTZHQNEQWLFATTPCULHLMBMEQVAXDFQNQLMLVOFTUTWLMJNLVNCRHTWUTJEEORGWISXALHDTNXRCWVMZRUEMSVOJYMENRHGVXXMGLOWYRFKZLPBZQMETPESMZPCJGYXVQSMCJXYEMMNKLPIXGOXOMQNYCFAEVPXDGOFEGSLWKBUOLRKXGTWDFUVGYFTOWQZAOIMQUZEELMCQWKUBEWGFDVXSXNGHPJNVDQHMPSSIFZTQLVBBHZOEGNPDAWAYLIRBWZHXRAXBBESYNRIRINAKLQMELNYRHRPKDBUCNSZOVHNTBCUYDQTGFWZJUCUZBHHXHQHKWOWTEWLUGGGWHIHCWZLLJPDFVDICZBBLFSECTLMQBKCPCHANOICKIUSVAJTYQOIUWRGVAFOFTMIHARUUCNGBLVFIKMTTGPYXNEVGLPMZDMIQDQOLIEFHNZYMZTCDOHBNQLNVLXRUXMGYCVOJDBWPSJKMFMEDBEMXULQBRVRKPYNUACCXNPGFEMPXDXNEIPTKGSKUMVFSLCTJFHNFATCDKSZWKYMVQNTVHCOAJXDUTJZESFLKTQOGREXBTBVBGLDYJYDTNEAQDFRTXMJIHJCCTPUDZLNKNEABFQYCDL

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2u0sbuat.ntl.ps1

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awubflw0.ix4.psm1

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_n2lcqf01.ep2.psm1

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r34mowqx.i14.ps1

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):60
                                                                                                                                                                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\adobeFKTtj9iAe3HH\Cookies\Chrome_Default.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):530
                                                                                                                                                                                                                                                        Entropy (8bit):6.005544722730675
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:c7F2v4kMx/6UsMbf4/LJPhvkRj6a9kuEYTCRopYxOOVtouEYv:SCJyHXbfQJPh8RdkYiFoYv
                                                                                                                                                                                                                                                        MD5:987FB1A1830B0EB5C0D306F8A2DE9981
                                                                                                                                                                                                                                                        SHA1:8374E6320AD99C3FF177A9889F1AB75448F6EB19
                                                                                                                                                                                                                                                        SHA-256:5EF24A6CE57CA3048431555909EC23CD5494DA76845F84271946442249DDA891
                                                                                                                                                                                                                                                        SHA-512:9E2A48264084B79051FC275DD7780A5552B56220459A1CDDBE6F6A307FE0E5759AE20BC243D085D9734153879AC4E66233AB83F92551DD8092EABF85B16F2D15
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.google.com.TRUE./.TRUE.1712298002.NID.ENC893*_djEwx6CLkXLg8AuSZWCgylmAsMNnd1LSfbcL+IfCgMvX/m5IrzdSwxt6X6n5S6C7wCoUoWvuixZpzrMizGZc5ohIpmsvlOrGTOhFkQ4+lCF6fVH0QNPBBb27o2nXM8em7EAYS1bYZC2LV04SqpgyxJmdfFA7UyWUoK8kFZQDRl0vdOzWdvAoumw2skuCCtJC2oG3z3OYbLTLDbM7wYvVmfDeqtnZRihAAt+ptqI6cfY1a+KO9XP+4XkDSXW7JhsexYHBqzSSBmUisGZ7f9E=_DrTFYLsM7YVgEN6pCv/RXeb8Bq748EwHbsLCIGv1kEc=*...google.com.FALSE./.TRUE.1699078840.1P_JAR.ENC893*_djEwZKzV9KAslchfQWnVTck71JHMVRC24lvAWgdl5WpYIXlINsbQSVWzkKU=_DrTFYLsM7YVgEN6pCv/RXeb8Bq748EwHbsLCIGv1kEc=*..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\adobeFKTtj9iAe3HH\information.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):6917
                                                                                                                                                                                                                                                        Entropy (8bit):5.482757167804377
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:xfW9ZRevcBC1IUlzhg3ojVT3W8PiHNUbg3x:xycv84IUlzh6og8iB
                                                                                                                                                                                                                                                        MD5:474DFA7EA48A6AB7198DB3C82AE5AEAD
                                                                                                                                                                                                                                                        SHA1:F8E2587E21EF1563062B8B231524B1BA50DB2C4B
                                                                                                                                                                                                                                                        SHA-256:86066F7FDF0F4F1FEA0E8791BF38A6332C2E6219F8783FEA2148815BC71014F8
                                                                                                                                                                                                                                                        SHA-512:6CA3C0F8532B74E3DF348DB0EC1AFF4131D0DF7B17DEC6D406A84B2DA1D7D8564547FD43CA08CB1E17E39774FC2ADEDDACFFAD2E5152CC7F55D701CC13DE787D
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:Build: bladak..Version: 1.9....Date: Thu Apr 18 22:53:46 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: fab0de64d6d86afb879320e5cce47515....Path: C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobeFKTtj9iAe3HH....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 134349 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 18/4/2024 22:53:46..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [328]..csrss.exe [412]..wininit.exe [488]..csrss.exe [496]..winlogon.exe [560]..services.exe [632]..lsass.exe [652]..svchost.exe [752]..fontdrvhost

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\adobeFKTtj9iAe3HH\passwords.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):4897
                                                                                                                                                                                                                                                        Entropy (8bit):2.518316437186352
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                                                                                                        MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                                                                                                        SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                                                                                                        SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                                                                                                        SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\adobecDtxXJPvl4rB\Cookies\Chrome_Default.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):530
                                                                                                                                                                                                                                                        Entropy (8bit):6.005544722730675
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:c7F2v4kMx/6UsMbf4/LJPhvkRj6a9kuEYTCRopYxOOVtouEYv:SCJyHXbfQJPh8RdkYiFoYv
                                                                                                                                                                                                                                                        MD5:987FB1A1830B0EB5C0D306F8A2DE9981
                                                                                                                                                                                                                                                        SHA1:8374E6320AD99C3FF177A9889F1AB75448F6EB19
                                                                                                                                                                                                                                                        SHA-256:5EF24A6CE57CA3048431555909EC23CD5494DA76845F84271946442249DDA891
                                                                                                                                                                                                                                                        SHA-512:9E2A48264084B79051FC275DD7780A5552B56220459A1CDDBE6F6A307FE0E5759AE20BC243D085D9734153879AC4E66233AB83F92551DD8092EABF85B16F2D15
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.google.com.TRUE./.TRUE.1712298002.NID.ENC893*_djEwx6CLkXLg8AuSZWCgylmAsMNnd1LSfbcL+IfCgMvX/m5IrzdSwxt6X6n5S6C7wCoUoWvuixZpzrMizGZc5ohIpmsvlOrGTOhFkQ4+lCF6fVH0QNPBBb27o2nXM8em7EAYS1bYZC2LV04SqpgyxJmdfFA7UyWUoK8kFZQDRl0vdOzWdvAoumw2skuCCtJC2oG3z3OYbLTLDbM7wYvVmfDeqtnZRihAAt+ptqI6cfY1a+KO9XP+4XkDSXW7JhsexYHBqzSSBmUisGZ7f9E=_DrTFYLsM7YVgEN6pCv/RXeb8Bq748EwHbsLCIGv1kEc=*...google.com.FALSE./.TRUE.1699078840.1P_JAR.ENC893*_djEwZKzV9KAslchfQWnVTck71JHMVRC24lvAWgdl5WpYIXlINsbQSVWzkKU=_DrTFYLsM7YVgEN6pCv/RXeb8Bq748EwHbsLCIGv1kEc=*..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\adobecDtxXJPvl4rB\information.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):6952
                                                                                                                                                                                                                                                        Entropy (8bit):5.48242930049181
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:xfq7ZZRefcBC1IUlzhg3jVT3W8P/zHNUbg3x:xSrcf84IUlzh6g83lB
                                                                                                                                                                                                                                                        MD5:8896A9675D24093956BBF66CEBF33061
                                                                                                                                                                                                                                                        SHA1:7343F0F6066F8CF8546DCFFF18933517DD5DE45E
                                                                                                                                                                                                                                                        SHA-256:7F4A173F984AA515823870A26BE99F0BA3CF4A2C9E58642F520F367916A9CB6B
                                                                                                                                                                                                                                                        SHA-512:28ED99F6E0E8440A21C5DD7D38E1B3C757A233791FD7CF5902D2BDB2AD72CC5860A10A6ECF1C8937B4A1C3B4E7A9B74E35B1896DB4715C001CFCC38DD368CDF5
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:Build: bladak..Version: 1.9....Date: Thu Apr 18 22:53:55 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: fab0de64d6d86afb879320e5cce47515....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobecDtxXJPvl4rB....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 134349 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 18/4/2024 22:53:55..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [328]..csrss.exe [412]..wininit.exe [488]..csrss.exe [496]..winlogon.exe [560]..services.exe [632]..lsass.exe [652]..svchost.exe [752]..fontdrvhost.exe [780]..fontdrvhost.ex

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\adobecDtxXJPvl4rB\passwords.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):4897
                                                                                                                                                                                                                                                        Entropy (8bit):2.518316437186352
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                                                                                                        MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                                                                                                        SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                                                                                                        SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                                                                                                        SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\adobeiQskrzD7p1_a\Cookies\Chrome_Default.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (369), with CRLF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):530
                                                                                                                                                                                                                                                        Entropy (8bit):6.005544722730675
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:c7F2v4kMx/6UsMbf4/LJPhvkRj6a9kuEYTCRopYxOOVtouEYv:SCJyHXbfQJPh8RdkYiFoYv
                                                                                                                                                                                                                                                        MD5:987FB1A1830B0EB5C0D306F8A2DE9981
                                                                                                                                                                                                                                                        SHA1:8374E6320AD99C3FF177A9889F1AB75448F6EB19
                                                                                                                                                                                                                                                        SHA-256:5EF24A6CE57CA3048431555909EC23CD5494DA76845F84271946442249DDA891
                                                                                                                                                                                                                                                        SHA-512:9E2A48264084B79051FC275DD7780A5552B56220459A1CDDBE6F6A307FE0E5759AE20BC243D085D9734153879AC4E66233AB83F92551DD8092EABF85B16F2D15
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.google.com.TRUE./.TRUE.1712298002.NID.ENC893*_djEwx6CLkXLg8AuSZWCgylmAsMNnd1LSfbcL+IfCgMvX/m5IrzdSwxt6X6n5S6C7wCoUoWvuixZpzrMizGZc5ohIpmsvlOrGTOhFkQ4+lCF6fVH0QNPBBb27o2nXM8em7EAYS1bYZC2LV04SqpgyxJmdfFA7UyWUoK8kFZQDRl0vdOzWdvAoumw2skuCCtJC2oG3z3OYbLTLDbM7wYvVmfDeqtnZRihAAt+ptqI6cfY1a+KO9XP+4XkDSXW7JhsexYHBqzSSBmUisGZ7f9E=_DrTFYLsM7YVgEN6pCv/RXeb8Bq748EwHbsLCIGv1kEc=*...google.com.FALSE./.TRUE.1699078840.1P_JAR.ENC893*_djEwZKzV9KAslchfQWnVTck71JHMVRC24lvAWgdl5WpYIXlINsbQSVWzkKU=_DrTFYLsM7YVgEN6pCv/RXeb8Bq748EwHbsLCIGv1kEc=*..

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\adobeiQskrzD7p1_a\information.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):6929
                                                                                                                                                                                                                                                        Entropy (8bit):5.484446782233514
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:xfq7MZRefcBC1IUlzhg3jVT3W8PuHNUbg3x:xSccf84IUlzh6g8mB
                                                                                                                                                                                                                                                        MD5:5C1AABE8F23FB2627F9D3EA23FBB5787
                                                                                                                                                                                                                                                        SHA1:7F400D79E5900216511AA2359B6656FBA4F6C5F4
                                                                                                                                                                                                                                                        SHA-256:263D84DA24AC5CAFAA1EA059CB3CD059EBAB8342D9CE594E532C5D668FCD0DD9
                                                                                                                                                                                                                                                        SHA-512:1FA631A2A2B21002673E3D40F2EBF2D0583250011D328EF1F151251BCEB33FDC3A6E8BBD09C78D85E79FC31A1B30F62F6EA24EADE26E1D2F6914C680A2887C68
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:Build: bladak..Version: 1.9....Date: Thu Apr 18 22:53:55 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: fab0de64d6d86afb879320e5cce47515....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobeiQskrzD7p1_a....IP: 81.181.57.52..Location: US, Atlanta..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 134349 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 18/4/2024 22:53:55..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [328]..csrss.exe [412]..wininit.exe [488]..csrss.exe [496]..winlogon.exe [560]..services.exe [632]..lsass.exe [652]..svchost.exe [752]..fontdrvhost.exe [780]..fontdrvhost.ex

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\adobeiQskrzD7p1_a\passwords.txt

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):4897
                                                                                                                                                                                                                                                        Entropy (8bit):2.518316437186352
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                                                                                                                        MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                                                                                                                        SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                                                                                                                        SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                                                                                                                        SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\ai7r4g0iAr_FU6jbGEv2feP.zip

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                                        Size (bytes):2995
                                                                                                                                                                                                                                                        Entropy (8bit):7.723165752245958
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:9xa7XZV//QWGPvcdf+d+sj3+caiTGY+p7CMLYThzN463sjowtuwviVvn3KJ6Rkyn:eZV//Q1vcdCj+CWFpYTzqjowviVv3KJI
                                                                                                                                                                                                                                                        MD5:B46E445C7F5C153A859125B2EFD4C197
                                                                                                                                                                                                                                                        SHA1:334F7686CC80A73E0A46FAAF0CC087F2C03B0232
                                                                                                                                                                                                                                                        SHA-256:C6F9606463DE0C5049C65C3965C900228C72C3876D4C316078F95617FF135E51
                                                                                                                                                                                                                                                        SHA-512:FAD23F6BE1E818A574A45F35D9E036F051CB6BEA61E44B225372D8B45D470B6992FF19B43165D9DC9384694DA3F5628CFDEC8ADA241C0F491086F38CBA91FD8F
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\ai7r4g0iAr_FU6jbGEv2feP.zip, Author: Joe Security
                                                                                                                                                                                                                                                        Preview:PK...........X................Cookies\..PK...........XA.`%............Cookies\Chrome_Default.txt....@.........i.&h.Cn..L...\.FA@.~..v7..O...%!es.f..../S..a...@.,ek.%.H......</<2..,...I..w......1q.f.F+PiM.=h.5..2....0....O..u_.~}Z.UM........y...Rj..4H..D...xLY@....[.d.c&......G_............j%q%....Y.|.....P...u..u..85/..Z`...-..c...^A8n...Y.3......j.G!....c.....AM@!._W.yQbs.@.....h.y.-......|J..i...r....c....M...E...GS...C....X..C.U..v.%......C,.L0,......5.=....6.....PK...........X....8...(.......information.txt.Y.O.:..........o;}Z(s.f...(.;..n.4....]......Q..!.....}....u.%#4.Lb...k[Vi....F.^.wbj;BW.kt.*...`#!....M|....d."K...h.+i.\Q<...l .&d..,....2m..5..q<.$6.B.........$._.wz..f..+y".-.....V..J...91....Gw..X.f..6w./.S....}...MQ>.....i.,....a....o.^.&.....I...O..N.3^.7..&#........{..nz.OtTg&.M...l....u1O..:...S ......D0rz..g.....j]...0K.|.8.....y.......A..7.[.]..j.....VE.nu!T.g.B.....Y....i.......L^V.f..E.V..`...M.4_$...}.p.uA..R....?59.

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):98304
                                                                                                                                                                                                                                                        Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                                                        MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                                                        SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                                                        SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                                                        SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\23RlrlAqJ8ItLogin Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):51200
                                                                                                                                                                                                                                                        Entropy (8bit):0.8745947603342119
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                                                                                                                                                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                                                                                                                                                                                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                                                                                                                                                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                                                                                                                                                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\23XruTf4zVA3Cookies

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                                        Entropy (8bit):0.8508558324143882
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                                                                                                                                                                                        MD5:933D6D14518371B212F36C3835794D75
                                                                                                                                                                                                                                                        SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                                                                                                                                                                                        SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                                                                                                                                                                                        SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\2gVEt1lmq5sXHistory

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):155648
                                                                                                                                                                                                                                                        Entropy (8bit):0.5407252242845243
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                                                                                                        MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                                                                                                        SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                                                                                                        SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                                                                                                        SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):5242880
                                                                                                                                                                                                                                                        Entropy (8bit):0.0357803477377646
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
                                                                                                                                                                                                                                                        MD5:76D181A334D47872CD2E37135CC83F95
                                                                                                                                                                                                                                                        SHA1:B563370B023073CE6E0F63671AA4AF169ABBF4E1
                                                                                                                                                                                                                                                        SHA-256:52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
                                                                                                                                                                                                                                                        SHA-512:23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):5242880
                                                                                                                                                                                                                                                        Entropy (8bit):0.0357803477377646
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
                                                                                                                                                                                                                                                        MD5:76D181A334D47872CD2E37135CC83F95
                                                                                                                                                                                                                                                        SHA1:B563370B023073CE6E0F63671AA4AF169ABBF4E1
                                                                                                                                                                                                                                                        SHA-256:52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
                                                                                                                                                                                                                                                        SHA-512:23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\Eavx78wA_t3lHistory

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):159744
                                                                                                                                                                                                                                                        Entropy (8bit):0.73666944287833
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:w/UDWBsDrBuWBsZsVuejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E7rIDWq:wceZstH+bF+UI3iN0RSV0k3qLyj9Rck
                                                                                                                                                                                                                                                        MD5:4DF872577748F36E8710E479399239B6
                                                                                                                                                                                                                                                        SHA1:A86A9D753DFC606688CCEF12F5FFAA4E0AD856FE
                                                                                                                                                                                                                                                        SHA-256:4E12467265D4149FF770110E11997B9946BF6A90A80107F70B681ED8599D6C7D
                                                                                                                                                                                                                                                        SHA-512:509F1B6BCB3BDF30C87D4FD1DCD12A0CF6A76C1B23479FE7C0D3536FD758BAB685FBDA90AB0AAD87FAE6E41D5F132B2C24FB74539B3D61A0D67BE45F381D4EDA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\GsgeipZejplKWeb Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                                        Entropy (8bit):1.1239949490932863
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                                                                                                                                                        MD5:271D5F995996735B01672CF227C81C17
                                                                                                                                                                                                                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                                                                                                                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                                                                                                                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\LcPs3Q5scsjrWeb Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                                        Entropy (8bit):1.136471148832945
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                                                                                                                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                                                                                                                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                                                                                                                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                                                                                                                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\ObX1NK77qk6bWeb Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                                        Entropy (8bit):1.136471148832945
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                                                                                                                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                                                                                                                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                                                                                                                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                                                                                                                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\PpWmNocTqa_1Login Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                                                                                                        Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\XOe6AvqcYZtOWeb Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                                        Entropy (8bit):1.136471148832945
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                                                                                                                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                                                                                                                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                                                                                                                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                                                                                                                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\ZtPc_fEBeUCSLogin Data For Account

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                                                                                                        Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\lzM_YxSibLHlWeb Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                                        Entropy (8bit):1.1239949490932863
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                                                                                                                                                        MD5:271D5F995996735B01672CF227C81C17
                                                                                                                                                                                                                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                                                                                                                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                                                                                                                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\naGMCx3JlKcCHistory

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):155648
                                                                                                                                                                                                                                                        Entropy (8bit):0.5407252242845243
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                                                                                                        MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                                                                                                        SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                                                                                                        SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                                                                                                        SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\ss0XI1EeraXUWeb Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                                        Entropy (8bit):1.1239949490932863
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                                                                                                                                                        MD5:271D5F995996735B01672CF227C81C17
                                                                                                                                                                                                                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                                                                                                                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                                                                                                                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\ukgUedMNheUVHistory

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):159744
                                                                                                                                                                                                                                                        Entropy (8bit):0.73666944287833
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:w/UDWBsDrBuWBsZsVuejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E7rIDWq:wceZstH+bF+UI3iN0RSV0k3qLyj9Rck
                                                                                                                                                                                                                                                        MD5:4DF872577748F36E8710E479399239B6
                                                                                                                                                                                                                                                        SHA1:A86A9D753DFC606688CCEF12F5FFAA4E0AD856FE
                                                                                                                                                                                                                                                        SHA-256:4E12467265D4149FF770110E11997B9946BF6A90A80107F70B681ED8599D6C7D
                                                                                                                                                                                                                                                        SHA-512:509F1B6BCB3BDF30C87D4FD1DCD12A0CF6A76C1B23479FE7C0D3536FD758BAB685FBDA90AB0AAD87FAE6E41D5F132B2C24FB74539B3D61A0D67BE45F381D4EDA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiFKTtj9iAe3HH\yGHIyPN5svMICookies

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                                        Entropy (8bit):0.6732424250451717
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                                                                                                        MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                                                                                                        SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                                                                                                        SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                                                                                                        SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):98304
                                                                                                                                                                                                                                                        Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                                                        MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                                                        SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                                                        SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                                                        SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\1Hombqy00ZvoCookies

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                                        Entropy (8bit):0.8508558324143882
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                                                                                                                                                                                        MD5:933D6D14518371B212F36C3835794D75
                                                                                                                                                                                                                                                        SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                                                                                                                                                                                        SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                                                                                                                                                                                        SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\2AJIucaadgizWeb Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                                        Entropy (8bit):1.136471148832945
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                                                                                                                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                                                                                                                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                                                                                                                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                                                                                                                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):5242880
                                                                                                                                                                                                                                                        Entropy (8bit):0.0357803477377646
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
                                                                                                                                                                                                                                                        MD5:76D181A334D47872CD2E37135CC83F95
                                                                                                                                                                                                                                                        SHA1:B563370B023073CE6E0F63671AA4AF169ABBF4E1
                                                                                                                                                                                                                                                        SHA-256:52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
                                                                                                                                                                                                                                                        SHA-512:23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\9NOf2ThkjLj8Web Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                                        Entropy (8bit):1.1239949490932863
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                                                                                                                                                        MD5:271D5F995996735B01672CF227C81C17
                                                                                                                                                                                                                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                                                                                                                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                                                                                                                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\BTW6qbHsLOZ7Web Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                                        Entropy (8bit):1.136471148832945
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                                                                                                                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                                                                                                                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                                                                                                                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                                                                                                                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):5242880
                                                                                                                                                                                                                                                        Entropy (8bit):0.0357803477377646
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
                                                                                                                                                                                                                                                        MD5:76D181A334D47872CD2E37135CC83F95
                                                                                                                                                                                                                                                        SHA1:B563370B023073CE6E0F63671AA4AF169ABBF4E1
                                                                                                                                                                                                                                                        SHA-256:52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
                                                                                                                                                                                                                                                        SHA-512:23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\G7mTplp24l27Web Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                                        Entropy (8bit):1.1239949490932863
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                                                                                                                                                        MD5:271D5F995996735B01672CF227C81C17
                                                                                                                                                                                                                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                                                                                                                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                                                                                                                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\Lwl9Ly7Dayp4History

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):155648
                                                                                                                                                                                                                                                        Entropy (8bit):0.5407252242845243
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                                                                                                        MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                                                                                                        SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                                                                                                        SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                                                                                                        SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\Qt6xxB3pEjczHistory

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):159744
                                                                                                                                                                                                                                                        Entropy (8bit):0.73666944287833
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:w/UDWBsDrBuWBsZsVuejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E7rIDWq:wceZstH+bF+UI3iN0RSV0k3qLyj9Rck
                                                                                                                                                                                                                                                        MD5:4DF872577748F36E8710E479399239B6
                                                                                                                                                                                                                                                        SHA1:A86A9D753DFC606688CCEF12F5FFAA4E0AD856FE
                                                                                                                                                                                                                                                        SHA-256:4E12467265D4149FF770110E11997B9946BF6A90A80107F70B681ED8599D6C7D
                                                                                                                                                                                                                                                        SHA-512:509F1B6BCB3BDF30C87D4FD1DCD12A0CF6A76C1B23479FE7C0D3536FD758BAB685FBDA90AB0AAD87FAE6E41D5F132B2C24FB74539B3D61A0D67BE45F381D4EDA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\R5S9NH1553o6History

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):159744
                                                                                                                                                                                                                                                        Entropy (8bit):0.73666944287833
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:w/UDWBsDrBuWBsZsVuejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E7rIDWq:wceZstH+bF+UI3iN0RSV0k3qLyj9Rck
                                                                                                                                                                                                                                                        MD5:4DF872577748F36E8710E479399239B6
                                                                                                                                                                                                                                                        SHA1:A86A9D753DFC606688CCEF12F5FFAA4E0AD856FE
                                                                                                                                                                                                                                                        SHA-256:4E12467265D4149FF770110E11997B9946BF6A90A80107F70B681ED8599D6C7D
                                                                                                                                                                                                                                                        SHA-512:509F1B6BCB3BDF30C87D4FD1DCD12A0CF6A76C1B23479FE7C0D3536FD758BAB685FBDA90AB0AAD87FAE6E41D5F132B2C24FB74539B3D61A0D67BE45F381D4EDA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\V6b21k412L58History

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):155648
                                                                                                                                                                                                                                                        Entropy (8bit):0.5407252242845243
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                                                                                                        MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                                                                                                        SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                                                                                                        SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                                                                                                        SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\akRa176A2K6lWeb Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                                        Entropy (8bit):1.1239949490932863
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                                                                                                                                                        MD5:271D5F995996735B01672CF227C81C17
                                                                                                                                                                                                                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                                                                                                                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                                                                                                                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\evpiOXuhyJy_Login Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                                                                                                        Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\gLBlMEPi_DSEWeb Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                                        Entropy (8bit):1.136471148832945
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                                                                                                                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                                                                                                                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                                                                                                                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                                                                                                                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\kNWs7_f6APhILogin Data For Account

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                                                                                                        Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\lwcp4JoGqTVQLogin Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):51200
                                                                                                                                                                                                                                                        Entropy (8bit):0.8745947603342119
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                                                                                                                                                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                                                                                                                                                                                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                                                                                                                                                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                                                                                                                                                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidicDtxXJPvl4rB\rypEZXauv094Cookies

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                                        Entropy (8bit):0.6732424250451717
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                                                                                                        MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                                                                                                        SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                                                                                                        SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                                                                                                        SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\02zdBXl47cvzcookies.sqlite

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):98304
                                                                                                                                                                                                                                                        Entropy (8bit):0.08235737944063153
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                                                                                                                        MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                                                                                                                        SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                                                                                                                        SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                                                                                                                        SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):5242880
                                                                                                                                                                                                                                                        Entropy (8bit):0.0357803477377646
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
                                                                                                                                                                                                                                                        MD5:76D181A334D47872CD2E37135CC83F95
                                                                                                                                                                                                                                                        SHA1:B563370B023073CE6E0F63671AA4AF169ABBF4E1
                                                                                                                                                                                                                                                        SHA-256:52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
                                                                                                                                                                                                                                                        SHA-512:23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\C1GxjUVGzgLGHistory

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):159744
                                                                                                                                                                                                                                                        Entropy (8bit):0.73666944287833
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:w/UDWBsDrBuWBsZsVuejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E7rIDWq:wceZstH+bF+UI3iN0RSV0k3qLyj9Rck
                                                                                                                                                                                                                                                        MD5:4DF872577748F36E8710E479399239B6
                                                                                                                                                                                                                                                        SHA1:A86A9D753DFC606688CCEF12F5FFAA4E0AD856FE
                                                                                                                                                                                                                                                        SHA-256:4E12467265D4149FF770110E11997B9946BF6A90A80107F70B681ED8599D6C7D
                                                                                                                                                                                                                                                        SHA-512:509F1B6BCB3BDF30C87D4FD1DCD12A0CF6A76C1B23479FE7C0D3536FD758BAB685FBDA90AB0AAD87FAE6E41D5F132B2C24FB74539B3D61A0D67BE45F381D4EDA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\CKrmLAwyIlRGLogin Data For Account

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                                                                                                        Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\D0ofTlLQkAryHistory

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):155648
                                                                                                                                                                                                                                                        Entropy (8bit):0.5407252242845243
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                                                                                                        MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                                                                                                        SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                                                                                                        SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                                                                                                        SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\D450VL1NEedqLogin Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):40960
                                                                                                                                                                                                                                                        Entropy (8bit):0.8553638852307782
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                                                                                                                        MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                                                                                                                        SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                                                                                                                        SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                                                                                                                        SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):5242880
                                                                                                                                                                                                                                                        Entropy (8bit):0.0357803477377646
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
                                                                                                                                                                                                                                                        MD5:76D181A334D47872CD2E37135CC83F95
                                                                                                                                                                                                                                                        SHA1:B563370B023073CE6E0F63671AA4AF169ABBF4E1
                                                                                                                                                                                                                                                        SHA-256:52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
                                                                                                                                                                                                                                                        SHA-512:23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\G9nWP_WE7k2PWeb Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                                        Entropy (8bit):1.1239949490932863
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                                                                                                                                                        MD5:271D5F995996735B01672CF227C81C17
                                                                                                                                                                                                                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                                                                                                                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                                                                                                                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\H52hV_fnJ2vwWeb Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                                        Entropy (8bit):1.1239949490932863
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                                                                                                                                                        MD5:271D5F995996735B01672CF227C81C17
                                                                                                                                                                                                                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                                                                                                                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                                                                                                                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\NJZHHnBXG9S1Web Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):196608
                                                                                                                                                                                                                                                        Entropy (8bit):1.1239949490932863
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                                                                                                                                                                                        MD5:271D5F995996735B01672CF227C81C17
                                                                                                                                                                                                                                                        SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                                                                                                                                                                                        SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                                                                                                                                                                                        SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\aGSRln1W6b7DCookies

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                                        Entropy (8bit):0.8508558324143882
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                                                                                                                                                                                        MD5:933D6D14518371B212F36C3835794D75
                                                                                                                                                                                                                                                        SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                                                                                                                                                                                        SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                                                                                                                                                                                        SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\cGo5nDvEmAIEHistory

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 2, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):159744
                                                                                                                                                                                                                                                        Entropy (8bit):0.73666944287833
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:w/UDWBsDrBuWBsZsVuejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E7rIDWq:wceZstH+bF+UI3iN0RSV0k3qLyj9Rck
                                                                                                                                                                                                                                                        MD5:4DF872577748F36E8710E479399239B6
                                                                                                                                                                                                                                                        SHA1:A86A9D753DFC606688CCEF12F5FFAA4E0AD856FE
                                                                                                                                                                                                                                                        SHA-256:4E12467265D4149FF770110E11997B9946BF6A90A80107F70B681ED8599D6C7D
                                                                                                                                                                                                                                                        SHA-512:509F1B6BCB3BDF30C87D4FD1DCD12A0CF6A76C1B23479FE7C0D3536FD758BAB685FBDA90AB0AAD87FAE6E41D5F132B2C24FB74539B3D61A0D67BE45F381D4EDA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\q9hZGKYtQ4riWeb Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                                        Entropy (8bit):1.136471148832945
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                                                                                                                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                                                                                                                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                                                                                                                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                                                                                                                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\rShRkTJnuIFiCookies

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                                        Entropy (8bit):0.6732424250451717
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                                                                                                                                        MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                                                                                                                                        SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                                                                                                                                        SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                                                                                                                                        SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\tFtulPghkGGLLogin Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):51200
                                                                                                                                                                                                                                                        Entropy (8bit):0.8745947603342119
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                                                                                                                                                                                        MD5:378391FDB591852E472D99DC4BF837DA
                                                                                                                                                                                                                                                        SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                                                                                                                                                                                        SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                                                                                                                                                                                        SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\xfYD2eprFwTVWeb Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                                        Entropy (8bit):1.136471148832945
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                                                                                                                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                                                                                                                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                                                                                                                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                                                                                                                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\xs2mxR6GMFL6Web Data

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):106496
                                                                                                                                                                                                                                                        Entropy (8bit):1.136471148832945
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                                                                                                                                                                                        MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                                                                                                                                                                                        SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                                                                                                                                                                                        SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                                                                                                                                                                                        SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\heidiiQskrzD7p1_a\ziOzbK5J8DxWHistory

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):155648
                                                                                                                                                                                                                                                        Entropy (8bit):0.5407252242845243
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                                                                                                                                                                        MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                                                                                                                                                                        SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                                                                                                                                                                        SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                                                                                                                                                                        SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmp

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):59721128
                                                                                                                                                                                                                                                        Entropy (8bit):7.894297326209827
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1572864:JLZ1CnPCEBSFRBOf4E/wGfVRMTytvAavLTr:VCnPCbFRBDgzVftvh
                                                                                                                                                                                                                                                        MD5:8E9C467EAC35B35DA1F586014F29C330
                                                                                                                                                                                                                                                        SHA1:0DD19EA3C791BB453AB530CA65CA12A680E67B65
                                                                                                                                                                                                                                                        SHA-256:02FA8D1A57CF9AAB766303A3436E6CC4AE6AAA3348549A6E218437E7D10DC134
                                                                                                                                                                                                                                                        SHA-512:D7FAEF92E675064375B1D1CC13F326FED60673B32FAAED5C33EF5255890A72C031E9C5F1B86D2801774E2E47F9A5CD16C66C54398954F57336B07EEAA0E9E49E
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_zgRAT_1, Description: Yara detected zgRAT, Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: MALWARE_Win_zgRAT, Description: Detects zgRAT, Source: C:\Users\user\AppData\Local\Temp\iolo\dm\BIT826D.tmp, Author: ditekSHen
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ;..........."...0.....V.......... ........@.. ..............................Tp....`....................................O.......|S...............)...`.........8............................................ ............... ..H............text....... ..................... ..`.rsrc...|S.......T.................@..@.reloc.......`......................@..B.......................H.......|...........q...d....P...........................................r...psR........~.....o^........*.s.........~....~D...%-.&~C.........s....%.D...o....*...0..K........r...p}.....(....o....o....o....}#....(.....r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r;..pr...pr...prA..p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p(

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe (copy)

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):59721128
                                                                                                                                                                                                                                                        Entropy (8bit):7.894297326209827
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1572864:JLZ1CnPCEBSFRBOf4E/wGfVRMTytvAavLTr:VCnPCbFRBDgzVftvh
                                                                                                                                                                                                                                                        MD5:8E9C467EAC35B35DA1F586014F29C330
                                                                                                                                                                                                                                                        SHA1:0DD19EA3C791BB453AB530CA65CA12A680E67B65
                                                                                                                                                                                                                                                        SHA-256:02FA8D1A57CF9AAB766303A3436E6CC4AE6AAA3348549A6E218437E7D10DC134
                                                                                                                                                                                                                                                        SHA-512:D7FAEF92E675064375B1D1CC13F326FED60673B32FAAED5C33EF5255890A72C031E9C5F1B86D2801774E2E47F9A5CD16C66C54398954F57336B07EEAA0E9E49E
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 12%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... ;..........."...0.....V.......... ........@.. ..............................Tp....`....................................O.......|S...............)...`.........8............................................ ............... ..H............text....... ..................... ..`.rsrc...|S.......T.................@..@.reloc.......`......................@..B.......................H.......|...........q...d....P...........................................r...psR........~.....o^........*.s.........~....~D...%-.&~C.........s....%.D...o....*...0..K........r...p}.....(....o....o....o....}#....(.....r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r;..pr...pr...prA..p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p( ...&.r...pr...pr...pr...p(

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\qRHF0I3SLdbVi0YvmQyqu8Z.zip

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):2976
                                                                                                                                                                                                                                                        Entropy (8bit):7.737920893105656
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:9ScaSeXZV//QWGPvcXZ+f6m6EN4ITdUBPTNKIJeNS4X7wjfvT51fVPn3KJ6S0kSo:uZV//Q1vcwfTN4+dCTXw7wf51fJ3KJ/
                                                                                                                                                                                                                                                        MD5:7D8380DBB2AF50C001D981DAC9C02E79
                                                                                                                                                                                                                                                        SHA1:BBFE747B354384C053071D9E76E9EC85EEC1821A
                                                                                                                                                                                                                                                        SHA-256:2CA1554BB1E6E0E99D4FAC5B14000F181D56FE895B81C9A7B8CAE36681063361
                                                                                                                                                                                                                                                        SHA-512:DDC96CDF98CD537CBF6B6D170BDA4AD248C77E92957E297F17AE6C28F71B5150C2A4C2059B41931E7B9257524CDF9DCAB88560B2FB0CC92EE8B55B32EB9A6045
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\qRHF0I3SLdbVi0YvmQyqu8Z.zip, Author: Joe Security
                                                                                                                                                                                                                                                        Preview:PK...........X................Cookies\..PK...........XA.`%............Cookies\Chrome_Default.txt....@.........i.&h.Cn..L...\.FA@.~..v7..O...%!es.f..../S..a...@.,ek.%.H......</<2..,...I..w......1q.f.F+PiM.=h.5..2....0....O..u_.~}Z.UM........y...Rj..4H..D...xLY@....[.d.c&......G_............j%q%....Y.|.....P...u..u..85/..Z`...-..c...^A8n...Y.3......j.G!....c.....AM@!._W.yQbs.@.....h.y.-......|J..i...r....c....M...E...GS...C....X..C.U..v.%......C,.L0,......5.=....6.....PK...........X.$..%...........information.txt.Y[o...~G.?.t^....{.y:.d'..fP.Dg.}0vC.16.M.....m...N"$\...U].m.$.y.D.c.sc."..>"...t;.Ai.h..A.u..F....s.(..3..85W.}.......P....y..{.aB.Z.#,.....w.X...=I.G.1=....X...._..........82.G2.2XX^>..04\."*=.A..G.......ti.2..`..&.._.0H.f..'....1.....&..=.b...,.D.q..r..ln~.2-...a...&W.>..#.#.'h.S.Q.N.M~E.2..2.v~\...`Sf.8I..>.Y..4..>.~A..q.......v..j.)M...+...8.>...~.......B*...;.m..b..?.).d..B../...m.k..7..~.7..|1?.Y.G.+V..t....:..qi".%N.Q.:E.>\j\..i\k.?.OU...

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                                        Entropy (8bit):2.931208948910323
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:L8t:Qt
                                                                                                                                                                                                                                                        MD5:DA86F68E284D4B06DB6F8023FBA93580
                                                                                                                                                                                                                                                        SHA1:200B9A3A611E11986ED5DCEE61CCF85EA5383AEB
                                                                                                                                                                                                                                                        SHA-256:69D7A6689EA0C067B62CC6039AE0E0BA65D2C15D3233263612D29216D0B8CC10
                                                                                                                                                                                                                                                        SHA-512:2D1CCC0433A1DB526233831E0A78083E27108A93643697394296473AFFF2C68149B713D9DB38F3BF3B2800C6DC8435234A77AFA8DF1704C8906FC280A1EB2DFF
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:1713479804023

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):112128
                                                                                                                                                                                                                                                        Entropy (8bit):6.400158525810517
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:Q3uSD+ZwruS0bGcuZRt2sSZV/Q3IegRQod4l:AuTiabHuZRAFtlD4l
                                                                                                                                                                                                                                                        MD5:726CD06231883A159EC1CE28DD538699
                                                                                                                                                                                                                                                        SHA1:404897E6A133D255AD5A9C26AC6414D7134285A2
                                                                                                                                                                                                                                                        SHA-256:12FEF2D5995D671EC0E91BDBDC91E2B0D3C90ED3A8B2B13DDAA8AD64727DCD46
                                                                                                                                                                                                                                                        SHA-512:9EA82E7CB6C6A58446BD5033855947C3E2D475D2910F2B941235E0B96AA08EEC822D2DD17CC86B2D3FCE930F78B799291992408E309A6C63E3011266810EA83E
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 82%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.j.c.j.c.j.8.i.i.j.8.o..j.8.n.q.j..n.l.j..i.r.j..o.B.j.8.k.d.j.c.k...j...c.`.j...j.b.j.....b.j...h.b.j.Richc.j.........................PE..L...j..e...........!.....$...........f.......@............................................@......................... ...........P.......................................8...........................(...@............@..L............................text...6#.......$.................. ..`.rdata..4i...@...j...(..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1285632
                                                                                                                                                                                                                                                        Entropy (8bit):6.460494158653329
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24576:IvkQL6YY4wMPSYZofkf0Gh6Pi41+a9uyP5dggky+yC7:IsMPSYcS5wPi095Pbg9y
                                                                                                                                                                                                                                                        MD5:15A42D3E4579DA615A384C717AB2109B
                                                                                                                                                                                                                                                        SHA1:22AEEDEB2307B1370CDAB70D6A6B6D2C13AD2301
                                                                                                                                                                                                                                                        SHA-256:3C97BB410E49B11AF8116FEB7240B7101E1967CAE7538418C45C3D2E072E8103
                                                                                                                                                                                                                                                        SHA-512:1EB7F126DCCC88A2479E3818C36120F5AF3CAA0D632B9EA803485EE6531D6E2A1FD0805B1C4364983D280DF23EA5CA3AD4A5FCA558AC436EFAE36AF9B795C444
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 71%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^.._...^.._...^.._2..^W._..^W._...^W._...^.._...^...^C..^.._...^.._...^..X^...^.._...^Rich...^........................PE..d...i..e.........." .........R......h........................................P............`......................................... ...X...x........ .......`..(............0..........p........................... ................................................text............................... ..`.rdata..............................@..@.data...L........D..................@....pdata..(....`......................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):112128
                                                                                                                                                                                                                                                        Entropy (8bit):6.400356358225577
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:D4uSD+ZwruS0bGYuZRtasSVh/QEIegRQod4l:kuTiabruZR8JSlD4l
                                                                                                                                                                                                                                                        MD5:154C3F1334DD435F562672F2664FEA6B
                                                                                                                                                                                                                                                        SHA1:51DD25E2BA98B8546DE163B8F26E2972A90C2C79
                                                                                                                                                                                                                                                        SHA-256:5F431129F97F3D56929F1E5584819E091BD6C854D7E18503074737FC6D79E33F
                                                                                                                                                                                                                                                        SHA-512:1BCA69BBCDB7ECD418769E9D4BEFC458F9F8E3CEE81FEB7316BB61E189E2904F4431E4CC7D291E179A5DEC441B959D428D8E433F579036F763BBAD6460222841
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_3, Description: Yara detected Amadey\'s Clipper DLL, Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\clip64.dll, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'...c.j.c.j.c.j.8.i.i.j.8.o..j.8.n.q.j..n.l.j..i.r.j..o.B.j.8.k.d.j.c.k...j...c.`.j...j.b.j.....b.j...h.b.j.Richc.j.........................PE..L......e...........!.....$...........f.......@............................................@......................... ...........P.......................................8...........................(...@............@..L............................text...6#.......$.................. ..`.rdata..4i...@...j...(..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1285632
                                                                                                                                                                                                                                                        Entropy (8bit):6.460276790319054
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24576:2vkQL6YY4wMPSYZofkf0Gh6Pi41+a9uyP5dggv4+yC7:2sMPSYcS5wPi095PbgS4
                                                                                                                                                                                                                                                        MD5:F35B671FDA2603EC30ACE10946F11A90
                                                                                                                                                                                                                                                        SHA1:059AD6B06559D4DB581B1879E709F32F80850872
                                                                                                                                                                                                                                                        SHA-256:83E3DF5BEC15D5333935BEA8B719A6D677E2FB3DC1CF9E18E7B82FD0438285C7
                                                                                                                                                                                                                                                        SHA-512:B5FA27D08C64727CEF7FDDA5E68054A4359CD697DF50D70D1D90DA583195959A139066A6214531BBC5F20CD4F9BC1CA3E4244396547381291A6A1D2DF9CF8705
                                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 92%
                                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^.._...^.._...^.._2..^W._..^W._...^W._...^.._...^...^C..^.._...^.._...^..X^...^.._...^Rich...^........................PE..d......e.........." .........R......h........................................P............`......................................... ...X...x........ .......`..(............0..........p........................... ................................................text............................... ..`.rdata..............................@..@.data...L........D..................@....pdata..(....`......................@..@_RDATA..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

                                                                                                                                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):55
                                                                                                                                                                                                                                                        Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                                                        C:\Windows\Tasks\chrosha.job

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\1000054001\amert.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):304
                                                                                                                                                                                                                                                        Entropy (8bit):3.441068409212521
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:dML7XlXUEZ+lX1ErCqdtE9+AQy0lxct0:dm1Q1Eeqs9+nVxct0
                                                                                                                                                                                                                                                        MD5:6EE0E9F6BC6B6B3F87B415B9971C9C4C
                                                                                                                                                                                                                                                        SHA1:C25F2E0CEFD09D289983ECF4ADAAFEF96A60B4CF
                                                                                                                                                                                                                                                        SHA-256:F3D9235876E6BF6739865BD7C873AD4C4CE13AC7ADE6C21727FEC1EEF4410FE2
                                                                                                                                                                                                                                                        SHA-512:41276B12AE03ED954265132C4198918C2D89D838229D2E113F24D309872D308764427D651A90361003B2F245A7B012660F686B68881FB1E0555D776720E40C41
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:......0.Gt.N...>=..F.......<... .....s.......... ....................<.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.4.d.0.a.b.1.5.8.0.4.\.c.h.r.o.s.h.a...e.x.e.........E.N.G.I.N.E.E.R.-.P.C.\.e.n.g.i.n.e.e.r...................0.................6.@3P.........................

                                                                                                                                                                                                                                                        C:\Windows\Tasks\explorha.job

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Users\user\Desktop\tA6etkt3gb.exe
                                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):306
                                                                                                                                                                                                                                                        Entropy (8bit):3.4439579558781084
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6:T+9i7TDZXaXUEZ+lX1y6y2l+lRdtE9+AQy0lxct0:y9izlaQ1y6NkDs9+nVxct0
                                                                                                                                                                                                                                                        MD5:48FD2A593A7D55A097E53C1ED6130E60
                                                                                                                                                                                                                                                        SHA1:1EEBB5CE3B1E9611F5D4E5F8A085F545FA08440E
                                                                                                                                                                                                                                                        SHA-256:4DB5CEE6C6F94C94FCB3F74D6C5B8A39ED8D00471BDD2CAAAD3994324E77196C
                                                                                                                                                                                                                                                        SHA-512:CA10BF9404B41107AA797BACECCB2D68496562A856911E21E46AB4473E7FC5075DFA8326E2C35DE8B2FA19AF63841CB4693C1A1B6258C026D8BE4FC917736391
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:.......5..7G.XD.C..xF.......<... .....s.......... ....................=.C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.0.9.f.d.8.5.1.a.4.f.\.e.x.p.l.o.r.h.a...e.x.e.........E.N.G.I.N.E.E.R.-.P.C.\.e.n.g.i.n.e.e.r...................0.................6.@3P.........................

                                                                                                                                                                                                                                                        C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                                        Size (bytes):1835008
                                                                                                                                                                                                                                                        Entropy (8bit):4.471649248730274
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6144:PzZfpi6ceLPx9skLmb0fJZWSP3aJG8nAgeiJRMMhA2zX4WABluuNejDH5S:bZHtJZWOKnMM6bFpoj4
                                                                                                                                                                                                                                                        MD5:68B3B10D1257B498A425AF990AED8EA0
                                                                                                                                                                                                                                                        SHA1:312FABB22B228897D5FC1B39EC83B20A5EC34F91
                                                                                                                                                                                                                                                        SHA-256:EC69146987CE519FA941860B49C3150E085E4178E1E5DADF74635D0EC5CA3CDA
                                                                                                                                                                                                                                                        SHA-512:8D237958D45EE5A59F89AFB81704A54EA18AD7786D0FF1988328F95A30F432AF244E0ABA6A59E3DB5E24D7CA2971EE7416D7DB4A17B5E7AAC1F56DB3829612D3
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        Preview:regfI...I....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm...................................................................................................................................................................................................................................................................................................................................................r...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                        Chrome Cache Entry: 275

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1631)
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):38525
                                                                                                                                                                                                                                                        Entropy (8bit):5.3838229197405845
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:768:ka4ZsJiVqZZIpNGVMfgXafCcgBRyLa7l6txRjXbwm75/JgZRrQAT6l:bZCfVfCCa7qxR3nt/JgT6
                                                                                                                                                                                                                                                        MD5:F269DC67D0E2355F1A50E500D5BE54A8
                                                                                                                                                                                                                                                        SHA1:96A3A5C465D8A6B18373BF73138DBEB2B03AE534
                                                                                                                                                                                                                                                        SHA-256:7FAB6151E7F2088D3E76373C563CCC3F9AE1523C49E8D38225F82158F8557954
                                                                                                                                                                                                                                                        SHA-512:4B81B50467C5CD3CB11DCA60F6A9438214557565BEE34558B128BE17628965A6184D5845E4B61B883D8C4F140BE97259A16AF5361280EE1ADE4F0E674A4B2101
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=_b,_tp/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=byfTOb,lsjVmc,LEikZe"
                                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.mpa=function(a){var b=0,c;for(c in a)b++;return b};_.npa=function(a){return a.hh&&"function"==typeof a.hh?a.hh():_.ja(a)||"string"===typeof a?a.length:_.mpa(a)};_.qn=function(a){if(a.Xg&&"function"==typeof a.Xg)return a.Xg();if("undefined"!==typeof Map&&a instanceof Map||"undefined"!==typeof Set&&a instanceof Set)return Array.from(a.values());if("string"===typeof a)return a.split("");if(_.ja(a)){for(var b=[],c=a.length,d=0;d<c;d++)b.push(a[d]);return b}return _.ob(a)};._.opa=function(a){if(a.Vg&&"function"==typeof a.Vg)return a.Vg();if(!a.Xg||"function"!=typeof a.Xg){if("undefined"!==typeof Map&&a instanceof Map)return Array.from(a.keys());if(!("undefined"!==typeof Set&&a instanceof Set)){if(_.ja(a)||"string"===typeof a){var b=[];a=a.length;for(var c=0;c<a;c++)b.push(c);return b}return _.pb(a)}}};.var ppa,spa,rpa,qpa,Gn,In,Epa,vpa,xpa,wpa,Apa,ypa;ppa=function(a,b,c){if(b)re

                                                                                                                                                                                                                                                        Chrome Cache Entry: 276

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (4199)
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):19278
                                                                                                                                                                                                                                                        Entropy (8bit):5.369599228603606
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:384:cvdvKJdlmqS6Y09al9NSQqbZrM+McC4Gw+RXY2RAgpho55WW12:KvV6Y09a3wrHCQ+RIVgwWW12
                                                                                                                                                                                                                                                        MD5:CF3995B2563E0EBF8D485583199AA881
                                                                                                                                                                                                                                                        SHA1:AD8F16F214600B1C8D4B18E6BC227CBBE7921804
                                                                                                                                                                                                                                                        SHA-256:D2D12D9D00DB79F5F874A8A5BF942591D4DB684901EDA33A7CDCA25E6F84377C
                                                                                                                                                                                                                                                        SHA-512:B19CF516537D180DD64A6B9ECDD9760085971422511FF59FA05D120B43B4971611429B5A03D7D5384029D1691B6B414F9340701CA337D5CBA429C32CBE8D4310
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,YHI3We,YTxL4,YgOFye,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,eVCnO,f8Gu1e,hc6Ubd,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=RqjULd"
                                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.Qu=function(a){this.Ga=_.t(a)};_.A(_.Qu,_.v);_.Ru=function(a,b){return _.wd(a,3,b,_.Cc)};_.Qu.Mb=[1,2,3,4];.var wCa=_.da.URL,xCa,yCa,ACa,zCa;try{new wCa("http://example.com"),xCa=!0}catch(a){xCa=!1}yCa=xCa;.ACa=function(a){var b=_.dh("A");try{_.Kb(b,new _.wb(a));var c=b.protocol}catch(e){throw Error("hc`"+a);}if(""===c||":"===c||":"!=c[c.length-1])throw Error("hc`"+a);if(!zCa.has(c))throw Error("hc`"+a);if(!b.hostname)throw Error("hc`"+a);var d=b.href;a={href:d,protocol:b.protocol,username:"",password:"",hostname:b.hostname,pathname:"/"+b.pathname,search:b.search,hash:b.hash,toString:function(){return d}};zCa.get(b.protocol)===b.port?(a.host=a.hostname,a.port="",a.origin=a.protocol+"//"+a.hostname):.(a.host=b.host,a.port=b.port,a.origin=a.protocol+"//"+a.hostname+":"+a.port);return a};._.BCa=function(a){if(yCa){try{var b=new wCa(a)}catch(d){throw Error("hc`"+a);}var c=zCa.g

                                                                                                                                                                                                                                                        Chrome Cache Entry: 277

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (405)
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):1600
                                                                                                                                                                                                                                                        Entropy (8bit):5.2114513236869175
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:kMYD7FG1NPxuZiWQt+Jcu+yNPx1gODoHTR8uPlyH/6Hum/NtukNPx01JQSokp484:o7UHjAj+s4zR8ClyH5agKGwhkUshvNrw
                                                                                                                                                                                                                                                        MD5:FFE1B082415A066E522D9B7F02EC70E6
                                                                                                                                                                                                                                                        SHA1:041340B4440097D12D3EF465501E51DDC000BAD1
                                                                                                                                                                                                                                                        SHA-256:E7D5B7A3B13D2D5F4599251A11E72AA814CE843921DCDF38C4C0CF2EEB191A67
                                                                                                                                                                                                                                                        SHA-512:8CA5C9CEF07A886536C49648CBC24EAA9026E49FD2DDE95F1470E95D1F3E720158BB4CB8FE411CF7C0FCA4049327129D4342443231B6DC2F7D0963C0B4BD9C0A
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,YHI3We,YTxL4,YgOFye,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,hc6Ubd,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=w9hDv,VwDzFe,A7fCU"
                                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("w9hDv");._.qf(_.dja);_.Nv=function(a){_.I.call(this,a.Ha);this.aa=a.Wa.cache};_.A(_.Nv,_.I);_.Nv.Na=_.I.Na;_.Nv.Ba=function(){return{Wa:{cache:_.$o}}};_.Nv.prototype.execute=function(a){_.nb(a,function(b){var c;_.ie(b)&&(c=b.Za.Wb(b.fb));c&&this.aa.lD(c)},this);return{}};_.Eq(_.yja,_.Nv);._.l();._.k("VwDzFe");.var hE=function(a){_.I.call(this,a.Ha);this.aa=a.Fa.Sq;this.fa=a.Fa.metadata;this.da=a.Fa.Jq};_.A(hE,_.I);hE.Na=_.I.Na;hE.Ba=function(){return{Fa:{Sq:_.ID,metadata:_.oVa,Jq:_.FD}}};hE.prototype.execute=function(a){var b=this;a=this.da.create(a);return _.nb(a,function(c){var d=2===b.fa.getType(c.Ed())?b.aa.Xb(c):b.aa.aa(c);return _.Ij(c,_.JD)?d.then(function(e){return _.md(e)}):d},this)};_.Eq(_.Dja,hE);._.l();._.k("sP4Vbe");._.nVa=new _.xe(_.zja);._.l();._.k("A7fCU");.var ND=function(a){_.I.call(this,a.Ha);this.aa=a.Fa.tL};_.A(ND,_.I);ND.Na=_.I.Na;ND.Ba=function(){r

                                                                                                                                                                                                                                                        Chrome Cache Entry: 278

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (775)
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):1479
                                                                                                                                                                                                                                                        Entropy (8bit):5.306981966963761
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:24:kMYD7x3u0oobgQNcKYYGWn/HTwfUuH0NPIehiofo89Lay2CLtuNGbMfO+Gb6gf6+:o7x+0oo89eHuH6VeyGCZuNGbMG+GbXi+
                                                                                                                                                                                                                                                        MD5:60908F81C5350005E490CB2A7ABB3F37
                                                                                                                                                                                                                                                        SHA1:B82FC316F3035AFF1AFE2035CEB9A2CB04726876
                                                                                                                                                                                                                                                        SHA-256:613712129110A4869B9C63F7058D972C46A410199B8D31C821C5A79A5FC2C2E9
                                                                                                                                                                                                                                                        SHA-512:A88D4E0C24430FF04B84EA2B5EC1B04F9B60C5227FE38D0418C8F710425553CA661B6394A33150C2D75446FD1FB22F01389D9CBA760A36346D963EC3C6B178F1
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,YHI3We,YTxL4,YgOFye,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,eVCnO,f8Gu1e,hc6Ubd,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=bm51tf"
                                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("kMFpHd");._.oVa=new _.xe(_.Fk);._.l();._.k("bm51tf");.var rVa=!!(_.Qf[0]>>20&1);var tVa=function(a,b,c,d,e){this.fa=a;this.ta=b;this.ja=c;this.Ca=d;this.Ia=e;this.aa=0;this.da=sVa(this)},uVa=function(a){var b={};_.Ka(a.EN(),function(e){b[e]=!0});var c=a.pN(),d=a.vN();return new tVa(a.kK(),1E3*c.aa(),a.XM(),1E3*d.aa(),b)},sVa=function(a){return Math.random()*Math.min(a.ta*Math.pow(a.ja,a.aa),a.Ca)},OD=function(a,b){return a.aa>=a.fa?!1:null!=b?!!a.Ia[b]:!0};var PD=function(a){_.I.call(this,a.Ha);this.Gc=null;this.fa=a.Fa.EQ;this.ja=a.Fa.metadata;a=a.Fa.D$;this.da=a.fa.bind(a)};_.A(PD,_.I);PD.Na=_.I.Na;PD.Ba=function(){return{Fa:{EQ:_.pVa,metadata:_.oVa,D$:_.iVa}}};PD.prototype.aa=function(a,b){if(1!=this.ja.getType(a.Ed()))return _.Xk(a);var c=this.fa.aa;return(c=c?uVa(c):null)&&OD(c)?_.Fta(a,vVa(this,a,b,c)):_.Xk(a)};.var vVa=function(a,b,c,d){return c.then(function(e){r

                                                                                                                                                                                                                                                        Chrome Cache Entry: 279

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:HTML document, ASCII text, with very long lines (682)
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):4126
                                                                                                                                                                                                                                                        Entropy (8bit):5.355816676246375
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:GOFB1Kce2eMXmvci7UccRyDlyiKenjwf9Xn6Ow:93Kcri7U1RyDlyiKenjUN6b
                                                                                                                                                                                                                                                        MD5:C18D7346DE40A0E15C7AD41BDC248E21
                                                                                                                                                                                                                                                        SHA1:1AA3B333CABC332A486E1390FE223ECA98CE9BBE
                                                                                                                                                                                                                                                        SHA-256:555F0968B40AA581D32E1802451B0B941875D0A7571CFCDDD3703BF83FE0DF24
                                                                                                                                                                                                                                                        SHA-512:115945EF71ECF7A1FC00775596237E542F90E733D249C38313653E9FEC086666A7A25714EE432BD3AB50A88E917EEE10696C3E445C127B1AFA71860D8AFA1EA4
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,VwDzFe,YHI3We,YTxL4,YgOFye,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,hc6Ubd,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=NTMZac,sOXFj,q0xTif,ZZ4WUe"
                                                                                                                                                                                                                                                        Preview:"use strict";_F_installCss(".N7rBcd{overflow-x:auto}sentinel{}");.this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.qf(_.Xna);._.k("sOXFj");.var Kq=function(a){_.I.call(this,a.Ha)};_.A(Kq,_.I);Kq.Na=_.I.Na;Kq.Ba=_.I.Ba;Kq.prototype.aa=function(a){return a()};_.Eq(_.Wna,Kq);._.l();._.k("oGtAuc");._.Jta=new _.xe(_.Xna);._.l();._.k("q0xTif");.var Fua=function(a){var b=function(d){_.Rl(d)&&(_.Rl(d).yc=null,_.Xq(d,null));d.XyHi9&&(d.XyHi9=null)};b(a);a=a.querySelectorAll("[c-wiz]");for(var c=0;c<a.length;c++)b(a[c])},ir=function(a){_.gp.call(this,a.Ha);this.Qa=this.dom=null;if(this.xi()){var b=_.lk(this.Kf(),[_.Jk,_.Ik]);b=_.th([b[_.Jk],b[_.Ik]]).then(function(c){this.Qa=c[0];this.dom=c[1]},null,this);_.xq(this,b)}this.Ma=a.yh.W7};_.A(ir,_.gp);ir.Ba=function(){return{yh:{W7:function(){return _.ff(this)}}}};ir.prototype.getContext=function(a){return this.Ma.getContext(a)};.ir.prototype.getData=function(a){return this.Ma.getData(a)};ir.protot

                                                                                                                                                                                                                                                        Chrome Cache Entry: 280

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:SVG Scalable Vector Graphics image
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):749
                                                                                                                                                                                                                                                        Entropy (8bit):4.70368920713592
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:12:t4nolW84qhebl8cP5UbKEBnStLJdJad+DB3xELFkXUIx+RWuSrtUjAC9ZiCWInLE:t4olS+2x5UbKrTJ9DA0YWrrmWCFzfIvB
                                                                                                                                                                                                                                                        MD5:AA920B32443219E3EDFA32DEF5EBD457
                                                                                                                                                                                                                                                        SHA1:8A4B47D0A2CA261803AA5C1A9DDE7BA3FE15B298
                                                                                                                                                                                                                                                        SHA-256:E5773339E56DD15D8DAAB94CE6ED5D444D1EF0B61355E20854234605BB2E755B
                                                                                                                                                                                                                                                        SHA-512:C45BDB233447E1F4D3B4B5174A328E3D8987C9B5E2E12733E5027173B0302919680901C311094714CFC32AC2F2C749DC9EB95FFCAA8F5DA1E5EBEF3FB7225E37
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:https://www.gstatic.com/images/branding/productlogos/googleg/v6/36px.svg
                                                                                                                                                                                                                                                        Preview:<svg xmlns="http://www.w3.org/2000/svg" height="36" viewBox="0 0 36 36" width="36"><path d="M34.32 18.39c0-1.17-.11-2.3-.29-3.39H18v6.48h9.4c-.38 2.19-1.59 4.05-3.42 5.31v4.1h5.28c3.2-2.97 5.06-7.33 5.06-12.5z" fill="#4285F4"/><path d="M18 35c4.59 0 8.44-1.52 11.25-4.12l-5.28-4.1c-1.57 1.08-3.59 1.71-5.97 1.71-4.51 0-8.33-3.02-9.73-7.11H2.82v4.23C5.62 31.18 11.36 35 18 35z" fill="#34A853"/><path d="M8.27 21.39c-.36-1.07-.57-2.21-.57-3.39s.21-2.32.58-3.39v-4.23H2.82C1.67 12.67 1 15.25 1 18s.67 5.33 1.82 7.63l5.45-4.24z" fill="#FBBC05"/><path d="M18 7.5c2.56 0 4.86.88 6.67 2.61l.01.02 4.7-4.7C26.43 2.68 22.59 1 18 1 11.36 1 5.62 4.82 2.82 10.37l5.45 4.23c1.4-4.08 5.22-7.1 9.73-7.1z" fill="#EA4335"/><path d="M1 1h34v34H1z" fill="none"/></svg>

                                                                                                                                                                                                                                                        Chrome Cache Entry: 281

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (467)
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):1884
                                                                                                                                                                                                                                                        Entropy (8bit):5.292262488069745
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:o7YQTzKjrL3AnFw4paFNW7xOkZfIt3UrkCq/srw:otoLcFx4kRIes4w
                                                                                                                                                                                                                                                        MD5:2DB6AB32BE79D1F4C092D251080FD3FF
                                                                                                                                                                                                                                                        SHA1:393B0124159B4B7269CABA1991D8BB0F24EBF073
                                                                                                                                                                                                                                                        SHA-256:523799F3A4E2A3F4A453A43AC03CD6B01EFAC005DAB66CE87277B9CCEC7BB67F
                                                                                                                                                                                                                                                        SHA-512:6D6DDA518FB82DE0D554B21810CC33A8C4708043377F4BA5C8AD1372DACAE52A02213C4A919EBF3AF27BEBFCE5432BAF0346A3E823A65AE442D1B9AF6D60BDFA
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,VwDzFe,YHI3We,YTxL4,YgOFye,ZZ4WUe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,hc6Ubd,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iAskyc,ziXSP"
                                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("iAskyc");._.ZX=function(a){_.I.call(this,a.Ha);this.window=a.Fa.window.get();this.Bc=a.Fa.Bc};_.A(_.ZX,_.I);_.ZX.Na=_.I.Na;_.ZX.Ba=function(){return{Fa:{window:_.Hq,Bc:_.NB}}};_.ZX.prototype.Yn=function(){};_.ZX.prototype.addEncryptionRecoveryMethod=function(){};_.$X=function(a){return(null==a?void 0:a.lq)||function(){}};_.aY=function(a){return(null==a?void 0:a.sca)||function(){}};_.bY=function(a){return(null==a?void 0:a.Sn)||function(){}};._.JBb=function(a){return new Map(Array.from(a,function(b){var c=_.n(b);b=c.next().value;c=c.next().value;return[b,c.map(function(d){return{epoch:d.epoch,key:new Uint8Array(d.key)}})]}))};_.KBb=function(a){setTimeout(function(){throw a;},0)};_.ZX.prototype.uJ=function(){return!0};_.Eq(_.Cl,_.ZX);._.l();._.k("ziXSP");.var AY=function(a){_.ZX.call(this,a.Ha)};_.A(AY,_.ZX);AY.Na=_.ZX.Na;AY.Ba=_.ZX.Ba;AY.prototype.Yn=function(a,b,c){var d;

                                                                                                                                                                                                                                                        Chrome Cache Entry: 282

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (504)
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):2215
                                                                                                                                                                                                                                                        Entropy (8bit):5.36757102910705
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:ob1bEIZs1Ii7Bq7ZKhGdfWK7Dt75vpTMW1zmieTHWxrw:o5r8Ph4fPtdv91zmieT8w
                                                                                                                                                                                                                                                        MD5:306BAA59FBF8C921E798B0D5496B3915
                                                                                                                                                                                                                                                        SHA1:CB3B568B8C1F7A8187BC4146D91B3471E2152DCA
                                                                                                                                                                                                                                                        SHA-256:C816386F29E09DEDABBA8AC4F9A1BC06799796BE47AB9E88B1F34A3CA6CF333D
                                                                                                                                                                                                                                                        SHA-512:131121A04F87D5F41B659C932DE2FE268DE9B49DA890044DCA224C46D6F385A097BE7E472C831E7A1E16FB3D54E22A2D5D1D7501831E079CCA12C3978AEE95A5
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,VwDzFe,YHI3We,YTxL4,YgOFye,ZZ4WUe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,hc6Ubd,iAskyc,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=iCBEqb,nKuFpb"
                                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.YKa=_.y("iCBEqb",[_.Roa]);._.k("iCBEqb");.var VH=function(a){_.J.call(this,a.Ha);this.aa=a.Fa.xz};_.A(VH,_.J);VH.Ba=function(){return{Fa:{xz:_.UH}}};VH.prototype.EB=function(){var a=this.aa;_.w4a(a);_.v4a(a)};_.K(VH.prototype,"IYtByb",function(){return this.EB});_.M(_.YKa,VH);._.l();._.eMa=_.y("nKuFpb",[_.Kl,_.Bx]);._.k("nKuFpb");.var p_a=_.zf(["target"]),q_a=_.zf(["aria-"]),r_a=_.zf(["aria-"]),EF=function(a){_.xF.call(this,a.Ha);this.Kc=a.Fa.Kc;this.link=this.oa().find("A").kd(0);if(_.tC(this.oa())){a=this.oa().el();var b=this.Pe.bind(this);a.__soy_skip_handler=b}};_.A(EF,_.xF);EF.Ba=function(){return{Fa:{Kc:_.Iq}}};_.g=EF.prototype;_.g.ue=function(){};_.g.nE=function(a){_.Kb(this.link.el(),a)};_.g.Xr=function(a){_.qq([_.Db(p_a)],this.link.Nb(),"target",a)};._.g.click=function(a){if("keydown"===a.type&&"Enter"===_.CF(a.event))return!1;_.xF.prototype.click.call(this,a);retu

                                                                                                                                                                                                                                                        Chrome Cache Entry: 283

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:MS Windows icon resource - 2 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):5430
                                                                                                                                                                                                                                                        Entropy (8bit):3.6534652184263736
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:wIJct3xIAxG/7nvWDtZcdYLtX7B6QXL3aqG8Q:wIJct+A47v+rcqlBPG9B
                                                                                                                                                                                                                                                        MD5:F3418A443E7D841097C714D69EC4BCB8
                                                                                                                                                                                                                                                        SHA1:49263695F6B0CDD72F45CF1B775E660FDC36C606
                                                                                                                                                                                                                                                        SHA-256:6DA5620880159634213E197FAFCA1DDE0272153BE3E4590818533FAB8D040770
                                                                                                                                                                                                                                                        SHA-512:82D017C4B7EC8E0C46E8B75DA0CA6A52FD8BCE7FCF4E556CBDF16B49FC81BE9953FE7E25A05F63ECD41C7272E8BB0A9FD9AEDF0AC06CB6032330B096B3702563
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:https://www.google.com/favicon.ico
                                                                                                                                                                                                                                                        Preview:............ .h...&... .... .........(....... ..... ............................................0...................................................................................................................................v.].X.:.X.:.r.Y........................................q.X.S.4.S.4.S.4.S.4.S.4.S.4...X....................0........q.W.S.4.X.:.................J...A...g.........................K.H.V.8..........................F..B.....................,.......................................B..............................................B..B..B..B..B...u..........................................B..B..B..B..B...{.................5.......k...........................................................7R..8F.................................................2........Vb..5C..;I..................R^.....................0................Xc..5C..5C..5C..5C..5C..5C..lv..........................................]i..<J..:G..Zf....................................................

                                                                                                                                                                                                                                                        Chrome Cache Entry: 284

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:Web Open Font Format (Version 2), TrueType, length 52280, version 1.0
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):52280
                                                                                                                                                                                                                                                        Entropy (8bit):7.995413196679271
                                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                                        SSDEEP:1536:1rvqtK8DZilXxwJ8mMwAZy7phqsFLdG3B4d:xytBZits8bw4wzbFxG3B4d
                                                                                                                                                                                                                                                        MD5:F61F0D4D0F968D5BBA39A84C76277E1A
                                                                                                                                                                                                                                                        SHA1:AA3693EA140ECA418B4B2A30F6A68F6F43B4BEB2
                                                                                                                                                                                                                                                        SHA-256:57147F08949ABABE7DEEF611435AE418475A693E3823769A25C2A39B6EAD9CCC
                                                                                                                                                                                                                                                        SHA-512:6C3BD90F709BCF9151C9ED9FFEA55C4F6883E7FDA2A4E26BF018C83FE1CFBE4F4AA0DB080D6D024070D53B2257472C399C8AC44EEFD38B9445640EFA85D5C487
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:https://fonts.gstatic.com/s/googlesans/v58/4UaRrENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iq2vgCI.woff2
                                                                                                                                                                                                                                                        Preview:wOF2.......8.....................................^...$..4?HVAR..?MVAR9.`?STAT.*',..J/.......`..(..Z.0..R.6.$.... .....K..[..q..c..T.....>.P.j.`.w..#...%......N.".....$..3.0.6......... .L.rX/r[j.y.|*(.4.%#.....2.v.m..-..%.....;-.Y.{..&..O=#l@...k..7g..ZI...#.Z./+T..r7...M..3).Z%.x....s..sL..[A!.5*1w'/.8V..2Z..%.X.h.o.).]..9..Q`.$.....7..kZ.~O........d..g.n.d.Rw+&....Cz..uy#..fz,(.J....v.%..`..9.....h...?O..:...c%.....6s....xl..#...5..._......1.>.)"U.4 W....?%......6//!$...!.n9C@n...........!""^.....W..Z<.7.x.."UT.T....E.."R>.R..t.....H d..e_.K../.+8.Q.P.ZQ....;...U....]......._.e*......71.?.7.ORv.?...l...G|.P...|:...I.X..2.,.L........d.g.]}W#uW]QnuP-s.;.-Y.....].......C..j_.M0...y.......J..........NY..@A...,....-.F......'..w./j5g.vUS...U..0.&...y7.LP.....%.....Y......Y..D. e.A..G.?.$.......6...eaK.n5.m...N...,...+BCl..L> .E9~.b[.w.x....6<...}.e...%V....O.......*.?...a..#[eE.4..p..$...].....%......o._......N.._~..El....b..A.0.r8.....|..D.d..

                                                                                                                                                                                                                                                        Chrome Cache Entry: 285

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (693)
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):3141
                                                                                                                                                                                                                                                        Entropy (8bit):5.381866681101836
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:48:o7VSeBvFfGiW0rq8sdQfydNQ8jsN4FwCYYnyTM4WCOcUkp+4pP8mLjujrFQp4rw:oA4zWynYzdOqbnyT6COm+4V8zO8w
                                                                                                                                                                                                                                                        MD5:18637A7357C35DBB1A9E667CFCF52ED0
                                                                                                                                                                                                                                                        SHA1:0FD3CA9D31EA8BDBD658236A8D70421F7B22F30D
                                                                                                                                                                                                                                                        SHA-256:25815BE99894ED26F3B92AE4A2C542F5AE523C44C7F83CCC90E63FCE939AC50A
                                                                                                                                                                                                                                                        SHA-512:BDF27DB349AEBA777DEC00EC6F505A01A5926837D9DB95BC1D3A204DC53A0AA7760DAFB8834A025B5333468B635ED875CBFFC63F771AD3682108EB711C821073
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,O6y8ed,PHUIyb,PrPYRd,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,YHI3We,YTxL4,YgOFye,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,byfTOb,eVCnO,f8Gu1e,hc6Ubd,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,pxq3x,qPYxq,qPfo0c,qmdT9,rmumx,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ZwDk9d,RMhBfe"
                                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("ZwDk9d");.var Pv=function(a){_.I.call(this,a.Ha)};_.A(Pv,_.I);Pv.Na=_.I.Na;Pv.Ba=_.I.Ba;Pv.prototype.gN=function(a){return _.ke(this,{Wa:{mO:_.wj}}).then(function(b){var c=window._wjdd,d=window._wjdc;return!c&&d?new _.rh(function(e){window._wjdc=function(f){d(f);e(wEa(f,b,a))}}):wEa(c,b,a)})};var wEa=function(a,b,c){return(a=a&&a[c])?a:b.Wa.mO.gN(c)};.Pv.prototype.aa=function(a,b){var c=_.Zsa(b).yi;if(c.startsWith("$")){var d=_.Ul.get(a);_.Np[b]&&(d||(d={},_.Ul.set(a,d)),d[c]=_.Np[b],delete _.Np[b],_.Op--);if(d)if(a=d[c])b=_.je(a);else throw Error("Ob`"+b);else b=null}else b=null;return b};_.Eq(_.Oda,Pv);._.l();._.k("SNUn3");._.vEa=new _.xe(_.rf);._.l();._.k("RMhBfe");.var xEa=function(a,b){a=_.qra(a,b);return 0==a.length?null:a[0].ub},yEa=function(){return Object.values(_.Lo).reduce(function(a,b){return a+Object.keys(b).length},0)},zEa=function(){return Object.entries(_

                                                                                                                                                                                                                                                        Chrome Cache Entry: 286

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (17337)
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):777920
                                                                                                                                                                                                                                                        Entropy (8bit):5.736234414933445
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:6144:jJou68BNc2sU9zAbIfeTBUWV2my1MS1VQCBHxx1D+jb:jQ8BNuUmG1HVZf0b
                                                                                                                                                                                                                                                        MD5:13CBC7EB82860B6266DCCFC59F3C75F7
                                                                                                                                                                                                                                                        SHA1:B3EC028CD0954DB4974744C12303EF2210F09187
                                                                                                                                                                                                                                                        SHA-256:F68FEA62E44D6433E59101A40D898A335BA9E4D1DBDC36899705B79FE9AE1CC2
                                                                                                                                                                                                                                                        SHA-512:4A8BA7F7C1FFB7FC71F68102AF62B794CF6D2B570F4FF0B4764753D98AF0A1D52E6386DDEC81FFC30119B1475FB739C3EABA27943BC15FB5C3B179D57EF017A4
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=LEikZe,_b,_tp,byfTOb,lsjVmc/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=n73qwf,SCuOPb,IZT63,vfuNJf,UUJqVe,ws9Tlc,siKnQd,STuCOe,njlZCf,K1ZKnb,ziZ8Mc,b3kMqb,mvkUhe,CMcBD,Fndnac,t2srLd,EN3i8d,zu7j8,xiZRqc,NOeYWe,O6y8ed,L9OGUe,PrPYRd,MpJwZc,hc6Ubd,Rkm0ef,KUM7Z,oLggrd,inNHtf,L1AAkb,lwddkf,SpsfSb,aC1iue,tUnxGc,aW3pY,EFQ78c,xQtZb,I6YDgd,zbML3c,zr1jrb,vHEMJe,YHI3We,YTxL4,bSspM,Uas9Hd,zy0vNb,K0PMbc,AvtSve,qmdT9,xBaz7b,eVCnO,LDQI"
                                                                                                                                                                                                                                                        Preview:"use strict";_F_installCss(".O0WRkf{-webkit-user-select:none;transition:background .2s .1s;border:0;border-radius:3px;cursor:pointer;display:inline-block;font-size:14px;font-weight:500;min-width:4em;outline:none;overflow:hidden;position:relative;text-align:center;text-transform:uppercase;-webkit-tap-highlight-color:transparent;z-index:0}.A9jyad{font-size:13px;line-height:16px}.zZhnYe{transition:box-shadow .28s cubic-bezier(0.4,0,0.2,1);background:#dfdfdf;box-shadow:0px 2px 2px 0px rgba(0,0,0,.14),0px 3px 1px -2px rgba(0,0,0,.12),0px 1px 5px 0px rgba(0,0,0,.2)}.zZhnYe.qs41qe{transition:box-shadow .28s cubic-bezier(0.4,0,0.2,1);transition:background .8s;box-shadow:0px 8px 10px 1px rgba(0,0,0,.14),0px 3px 14px 2px rgba(0,0,0,.12),0px 5px 5px -3px rgba(0,0,0,.2)}.e3Duub,.e3Duub a,.e3Duub a:hover,.e3Duub a:link,.e3Duub a:visited{background:#4285f4;color:#fff}.HQ8yf,.HQ8yf a{color:#4285f4}.UxubU,.UxubU a{color:#fff}.ZFr60d{position:absolute;top:0;right:0;bottom:0;left:0;background-color:tran

                                                                                                                                                                                                                                                        Chrome Cache Entry: 287

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (574)
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):3449
                                                                                                                                                                                                                                                        Entropy (8bit):5.476559526829746
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:96:oWqZ4RE7YGueGE3bYetPjR6lv7esvpagGahjOw:wZ4R8XkvAgGq
                                                                                                                                                                                                                                                        MD5:F6053E7D421B4DBDA6B13AFE6A4E8331
                                                                                                                                                                                                                                                        SHA1:A4040265AD3E09BEEB0B6C8EC35156831A56F9AA
                                                                                                                                                                                                                                                        SHA-256:666B45739C898F59D524D3C78B5FBF452E731DFE64CE2BBB5E7C1D45181EDE93
                                                                                                                                                                                                                                                        SHA-512:CA5836BD044567762D922B20ECAA977ECBDFDE5BFE14CD692B489C93A6B25155ED1346FE60ABB93DFF986E944754899C7420982F354083463C3150ED5557504F
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,VwDzFe,YHI3We,YTxL4,YgOFye,ZZ4WUe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,hc6Ubd,iAskyc,iCBEqb,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,nKuFpb,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,w9hDv,wg1P6b,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=Wt6vjf,hhhU8,FCpbqb,WhJNk"
                                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("Wt6vjf");.var ota=function(){var a=_.ae();return _.yi(a,1)};var lq=function(a){this.Ga=_.t(a,0,lq.messageId)};_.A(lq,_.v);lq.prototype.Ja=function(){return _.Zh(this,1)};lq.prototype.Va=function(a){return _.Ki(this,1,a)};lq.messageId="f.bo";var mq=function(){_.Ak.call(this)};_.A(mq,_.Ak);mq.prototype.Xc=function(){this.PO=!1;pta(this);_.Ak.prototype.Xc.call(this)};mq.prototype.aa=function(){qta(this);if(this.Rz)return rta(this),!1;if(!this.NQ)return nq(this),!0;this.dispatchEvent("p");if(!this.oK)return nq(this),!0;this.kI?(this.dispatchEvent("r"),nq(this)):rta(this);return!1};.var sta=function(a){var b=new _.zn(a.X_);null!=a.qL&&b.aa("authuser",a.qL);return b},rta=function(a){a.Rz=!0;var b=sta(a),c="rt=r&f_uid="+_.Ng(a.oK);_.gl(b,(0,_.of)(a.fa,a),"POST",c)};.mq.prototype.fa=function(a){a=a.target;qta(this);if(_.jl(a)){this.iG=0;if(this.kI)this.Rz=!1,this.dispatchEvent("

                                                                                                                                                                                                                                                        Chrome Cache Entry: 288

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (1299)
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):114271
                                                                                                                                                                                                                                                        Entropy (8bit):5.5553458905033555
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:1536:byWA1WOEJNjYEEU0AzsWZYDq7Z3pbwQ+Fk3OTzB+9gmSeA5K2qU0UG2uioteT9:blALEJbX7Zj8k3OTzB+ymSeilG2keB
                                                                                                                                                                                                                                                        MD5:F313DC5B5708A43B9EEEF5C24F67A10F
                                                                                                                                                                                                                                                        SHA1:8DB79236A8CAECDE461C55994FE11235D7194F47
                                                                                                                                                                                                                                                        SHA-256:5E161ACD7EAF302818E14124B8AFD174B165238FFCB2F249B0ABF22CCBC2A6E6
                                                                                                                                                                                                                                                        SHA-512:E8FDFD5225D7EAED1C1AB093237915448C3F7F9DAD4E96C213F608DC1699D285A0C46E522B65BF73629A6184FF6BC5C0B1BBAF3B2F1E78BED98E5B033D0E421D
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=AvtSve,CMcBD,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,O6y8ed,PrPYRd,Rkm0ef,SCuOPb,STuCOe,SpsfSb,UUJqVe,Uas9Hd,YHI3We,YTxL4,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,byfTOb,eVCnO,hc6Ubd,inNHtf,lsjVmc,lwddkf,mvkUhe,n73qwf,njlZCf,oLggrd,qmdT9,siKnQd,t2srLd,tUnxGc,vHEMJe,vfuNJf,ws9Tlc,xBaz7b,xQtZb,xiZRqc,zbML3c,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=ltDFwf,SD8Jgb,rmumx,E87wgc,qPYxq,Tbb4sb,pxq3x,f8Gu1e,soHxf,YgOFye,qPfo0c,yRXbo,bTi8wc,ywOR5c,PHUIyb"
                                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.k("ltDFwf");.var zvb=_.y("ltDFwf");var cU=function(a){_.J.call(this,a.Ha);var b=this.oa();this.tb=this.Ra("P1ekSe");this.kb=this.Ra("cQwEuf");this.da=b.getData("progressvalue").number(0);this.ja=b.getData("buffervalue").number(1);this.Ca=b.zb("B6Vhqe");this.Ma=b.zb("juhVM");this.ta=b.zb("D6TUi");this.aa=b.zb("qdulke");this.La=0!==this.da;this.Ka=1!==this.ja;this.Ia=[];this.fa=_.Vr(this).Xb(function(){this.Ia.length&&(this.Ia.forEach(this.f9,this),this.Ia=[]);this.La&&(this.La=!1,this.tb.ob("transform","scaleX("+this.da+")"));this.Ka&&.(this.Ka=!1,this.kb.ob("transform","scaleX("+this.ja+")"));_.Tq(b,"B6Vhqe",this.Ca);_.Tq(b,"D6TUi",this.ta);_.Tq(b,"juhVM",this.Ma);_.Tq(b,"qdulke",this.aa)}).build();this.fa();_.xg&&_.Vr(this).Xb(function(){b.pb("ieri7c")}).Ce().build()();_.Hz(this.oa().el(),this.Sa.bind(this))};_.A(cU,_.J);cU.Ba=_.J.Ba;.cU.prototype.Sa=function(a,b){Avb(this

                                                                                                                                                                                                                                                        Chrome Cache Entry: 289

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (834)
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):7669
                                                                                                                                                                                                                                                        Entropy (8bit):5.358621282750075
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:192:KoBsYETJv5wkjv7JkfKNuv0DCzeBinCWBKRYaRdR2bRuRPR5RGRfRhRAR8RA:1sBXwknJrN/s2t
                                                                                                                                                                                                                                                        MD5:C342BFA66173FE4BCC024C34B5B7BCB7
                                                                                                                                                                                                                                                        SHA1:32BB20CACA08FBE056A15218A778B5DCA219134C
                                                                                                                                                                                                                                                        SHA-256:93127A8CDDC51F0FFA89579EBA1578F54CA2CF65701550E9F6A611362C79A1A9
                                                                                                                                                                                                                                                        SHA-512:F878BEE61FE8CCC5B1B279E2AF265720D26558BF5C4EC819C8A897607B6726C2156C6D4D0F621F4434E9233BB6C10843C837FDC848A3586D52B849AFD7A71FE4
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/ck=boq-identity.AccountsSignInUi.abUGhSwZr5E.L.B1.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/exm=A7fCU,AvtSve,CMcBD,E87wgc,EFQ78c,EN3i8d,Fndnac,I6YDgd,IZT63,K0PMbc,K1ZKnb,KUM7Z,L1AAkb,L9OGUe,LDQI,LEikZe,MpJwZc,NOeYWe,NTMZac,O6y8ed,PHUIyb,PrPYRd,RMhBfe,Rkm0ef,RqjULd,SCuOPb,SD8Jgb,STuCOe,SpsfSb,Tbb4sb,UUJqVe,Uas9Hd,VwDzFe,YHI3We,YTxL4,YgOFye,ZZ4WUe,ZwDk9d,_b,_tp,aC1iue,aW3pY,b3kMqb,bSspM,bTi8wc,bm51tf,byfTOb,eVCnO,f8Gu1e,hc6Ubd,iAskyc,iCBEqb,inNHtf,lsjVmc,ltDFwf,lwddkf,mvkUhe,n73qwf,nKuFpb,njlZCf,oLggrd,pxq3x,q0xTif,qPYxq,qPfo0c,qmdT9,rmumx,sOXFj,siKnQd,soHxf,t2srLd,tUnxGc,vHEMJe,vfuNJf,w9hDv,ws9Tlc,xBaz7b,xQtZb,xiZRqc,yRXbo,ywOR5c,zbML3c,ziXSP,ziZ8Mc,zr1jrb,zu7j8,zy0vNb/excm=_b,_tp,identifierview/ed=1/wt=2/ujg=1/rs=AOaEmlFktUL8CS9ma2bFQwiLvYX2iyBOiw/ee=ASJRFf:DAnQ7e;Al0B8:kibjWe;DaIJ8c:iAskyc;EVNhjf:pw70Gc;EkYFhd:NoODMc;EmZ2Bf:zr1jrb;Erl4fe:FloWmf;JsbNhc:Xd8iUd;LBgRLc:XVMNvd;Me32dd:MEeYgc;NPKaK:PVlQOd;NSEoX:lazG7b;Oj465e:KG2eXe;Pjplud:EEDORb;QGR0gd:Mlhmy;SMDL4c:K0PMbc;SNUn3:ZwDk9d;UpnZUd:nnwwYc;XdiAjb:NLiXbe;a56pNe:JEfCwb;cEt90b:ws9Tlc;dIoSBb:SpsfSb;eBAeSb:zbML3c;iFQyKf:vfuNJf;io8t5d:yDVVkb;kMFpHd:OTA3Ae;nAFL3:NTMZac;nTuGK:JKNPM;oGtAuc:sOXFj;oSUNyd:K0PMbc;oXZmbc:tUnxGc;pXdRYb:L9OGUe;qddgKe:xQtZb;sP4Vbe:VwDzFe;uY49fb:COQbmf;ul9GGd:VDovNc;vNjB7d:YTxL4;wR5FRb:siKnQd;yxTchf:KUM7Z/m=wg1P6b"
                                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._.qMa=_.y("wg1P6b",[_.tx,_.El,_.Kl]);._.k("wg1P6b");.var m1a=function(a,b){b=b||_.Ja;for(var c=0,d=a.length,e;c<d;){var f=c+(d-c>>>1);var h=b(0,a[f]);0<h?c=f+1:(d=f,e=!h)}return e?c:-c-1},n1a=function(a,b){for(;b=b.previousSibling;)if(b==a)return-1;return 1},o1a=function(a,b){var c=a.parentNode;if(c==b)return-1;for(;b.parentNode!=c;)b=b.parentNode;return n1a(b,a)},p1a=function(a,b){if(a==b)return 0;if(a.compareDocumentPosition)return a.compareDocumentPosition(b)&2?1:-1;if(_.xg&&!(9<=Number(_.Eg))){if(9==a.nodeType)return-1;if(9==b.nodeType)return 1}if("sourceIndex"in.a||a.parentNode&&"sourceIndex"in a.parentNode){var c=1==a.nodeType,d=1==b.nodeType;if(c&&d)return a.sourceIndex-b.sourceIndex;var e=a.parentNode,f=b.parentNode;return e==f?n1a(a,b):!c&&_.hh(e,b)?-1*o1a(a,b):!d&&_.hh(f,a)?o1a(b,a):(c?a.sourceIndex:e.sourceIndex)-(d?b.sourceIndex:f.sourceIndex)}d=_.Vg(a);c=d.create

                                                                                                                                                                                                                                                        Chrome Cache Entry: 290

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):52
                                                                                                                                                                                                                                                        Entropy (8bit):4.542000661265563
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3:yVkxzNDrMKcwVbF7KnZ:yVkxtkwVbF7KZ
                                                                                                                                                                                                                                                        MD5:B3B89B9C275343BC6798E3A83564FDDB
                                                                                                                                                                                                                                                        SHA1:32367475C527C3F5E5DB0BF42C348816FF4D157B
                                                                                                                                                                                                                                                        SHA-256:900FB968F7FD9EA55F600AC9002A89E56AB56597DA7BDE04DEAAE6CC77AEB276
                                                                                                                                                                                                                                                        SHA-512:ADB6938104E802B0936630B216CDE732F21ECA6E60E7A31D1B9C8FF52B5A66A712A7ECDE3F8ED4915D15C0A71C33A9788060E1E22999094C39020A1F8C636874
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:https://content-autofill.googleapis.com/v1/pages/ChVDaHJvbWUvMTE3LjAuNTkzOC4xMzQSHgmA6QC9dWevzxIFDRkBE_oSBQ3oIX6GEgUN05ioBw==?alt=proto
                                                                                                                                                                                                                                                        Preview:CiUKDQ0ZARP6GgQIVhgCIAEKCw3oIX6GGgQISxgCCgcN05ioBxoA

                                                                                                                                                                                                                                                        Chrome Cache Entry: 291

                                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (2362)
                                                                                                                                                                                                                                                        Category:downloaded
                                                                                                                                                                                                                                                        Size (bytes):220329
                                                                                                                                                                                                                                                        Entropy (8bit):5.4443770705809635
                                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                                        SSDEEP:3072:4btvBkNQB0w3NSOm3Rt9whvd6Ptfk/7aNyHD9KhLh:A0a0wNmBwK67cyj4hLh
                                                                                                                                                                                                                                                        MD5:4441DDED9C24D3329776DD10688D12A8
                                                                                                                                                                                                                                                        SHA1:07FF661EB06DDD8858DA4B7AEE259597346D4881
                                                                                                                                                                                                                                                        SHA-256:58D7D9D54FF03332C13E22B4471FA7FD3834E070934CB969AE3DEBCB05DEF767
                                                                                                                                                                                                                                                        SHA-512:B4F891DB471F20287A21E6482B4E3C7A9D41422DCBF5F2DC08482C61FEC6D565279CA8DA3F7ABD944B5AD226C957CB10F4395760071B3A5DD030F635F3FA5C79
                                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                                        URL:"https://www.gstatic.com/_/mss/boq-identity/_/js/k=boq-identity.AccountsSignInUi.en.eIcQTVVx-II.es5.O/am=PsAiOnEsAGLEeeADFAVCBgAAAAAAAAAArQFmBg/d=1/excm=_b,_tp,identifierview/ed=1/dg=0/wt=2/ujg=1/rs=AOaEmlFanHGHzypIF4CDunCjsiQhMN3SxQ/m=_b,_tp"
                                                                                                                                                                                                                                                        Preview:"use strict";this.default_AccountsSignInUi=this.default_AccountsSignInUi||{};(function(_){var window=this;.try{._._F_toggles_initialize=function(a){("undefined"!==typeof globalThis?globalThis:"undefined"!==typeof self?self:this)._F_toggles=a||[]};(0,_._F_toggles_initialize)([0x3a22c03e, 0x800b1c4, 0x3e079c46, 0x10814500, 0x6, 0x0, 0x201ad000, 0x199, ]);./*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/./*.. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT.*/./*.. Copyright 2024 Google, Inc. SPDX-License-Identifier: MIT.. Names of events that are special to jsaction. These are not all. event types that are legal to use in either HTML or the addEvent(). API, but these are the ones that are treated specially. All other. DOM events can be used in either addEvent() or in the value of the. jsaction attribute. Beware of browser specific events or events. that don't bubble though: If they are not mentioned he

                                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                        Entropy (8bit):6.549382157838926
                                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                                                        File name:tA6etkt3gb.exe
                                                                                                                                                                                                                                                        File size:3'034'624 bytes
                                                                                                                                                                                                                                                        MD5:a599e020f718cf8c8f2c4cbc4dd53a20
                                                                                                                                                                                                                                                        SHA1:204471dfbe8595643042f780f6a41e11af6933d6
                                                                                                                                                                                                                                                        SHA256:624f4d882c679941ae0fbedd47554d2dd8419c3d5e6492d020b004719c164974
                                                                                                                                                                                                                                                        SHA512:60f1a2c7f46d15a9f533940a5c14b2adaf5a90343cbe7536d3c1eb773d612b0f272322f8f78ba2475e5b183364b0719b5037460c9757e2aad661128ea98def2d
                                                                                                                                                                                                                                                        SSDEEP:49152:O7yhKtnwpmRei5FHEdkjqM6tUi2jIILqdYhfdIAcax:O7yhKqEeizHEdkuM6tUhTOU6ANx
                                                                                                                                                                                                                                                        TLSH:FDE54A92AE0472CFD49E2B74943FCDA2595D07B9472108D3AC6964BABDF3CC121B6D38
                                                                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d.Y@...@...@....m..Q....m.......h..R....h..W....h..5....m..U....m..S...@........k..A....k1.A....k..A...Rich@...........PE..L..

                                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                                        Icon Hash:00928e8e8686b000

                                                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Entrypoint:0x71f000
                                                                                                                                                                                                                                                        Entrypoint Section:.taggant
                                                                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                                                        Time Stamp:0x65E4126F [Sun Mar 3 06:02:23 2024 UTC]
                                                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                                                        OS Version Major:6
                                                                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                                                                        File Version Major:6
                                                                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                                                                        Subsystem Version Major:6
                                                                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                                                                        Import Hash:2eabe9054cad5152567f0699947a2c5b

                                                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                                                        jmp 00007F20B47D684Ah
                                                                                                                                                                                                                                                        cvttps2pi mm5, qword ptr [esi]
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add cl, ch
                                                                                                                                                                                                                                                        add byte ptr [eax], ah
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [edi], bl
                                                                                                                                                                                                                                                        add byte ptr [eax+000000FEh], ah
                                                                                                                                                                                                                                                        add byte ptr [edx], ah
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [ebx], cl
                                                                                                                                                                                                                                                        or al, byte ptr [eax]
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [esi], al
                                                                                                                                                                                                                                                        or al, byte ptr [eax]
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [esi], al
                                                                                                                                                                                                                                                        add byte ptr [eax], 00000000h
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        sub al, byte ptr [eax]
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        or ecx, dword ptr [edx]
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        xor byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        or al, byte ptr [eax]
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al
                                                                                                                                                                                                                                                        add byte ptr [eax], al

                                                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6a0560x6a.idata
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x690000x1e0.rsrc
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x31d8300x10mbzyibtj
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x31d7e00x18mbzyibtj
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                                                        0x10000x680000x2ea00393250502d803a0d75562b6de31ecabbFalse0.998224907841823data7.984093015905587IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                        .rsrc0x690000x1e00x200edca1db697a8545ad6b8a8842ae8db07False0.576171875data4.500825183950005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                        .idata 0x6a0000x10000x20017662c92043abde8b4b3074dcc401ca6False0.1484375data1.0249469107790772IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                        mbzyibtj0x6b0000x2b30000x2b2a003855ec570154a2a1243fc7a494aaf484unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                        snnxyswc0x31e0000x10000x400460884a43d3f215f6e34ae4ef2808882False0.8037109375data6.312411585914756IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                                                        .taggant0x31f0000x30000x2200df24a068d8f5eeb06fcffc9b1fed14b5False0.06698069852941177DOS executable (COM)0.8125284787568041IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                                                        RT_MANIFEST0x31d8400x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                                                        kernel32.dlllstrcpy

                                                                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                                                        EnglishUnited States

                                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                                        Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                                                                                        Start time:22:53:09
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\tA6etkt3gb.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\tA6etkt3gb.exe"
                                                                                                                                                                                                                                                        Imagebase:0x1c0000
                                                                                                                                                                                                                                                        File size:3'034'624 bytes
                                                                                                                                                                                                                                                        MD5 hash:A599E020F718CF8C8F2C4CBC4DD53A20
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000001.00000003.2225797084.0000000004800000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                                        Start time:22:53:15
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
                                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                                        File size:3'034'624 bytes
                                                                                                                                                                                                                                                        MD5 hash:A599E020F718CF8C8F2C4CBC4DD53A20
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000002.00000003.2278323852.00000000047D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                                        • Detection: 39%, ReversingLabs
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                                                        Start time:22:53:22
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                                                                                                                                                                                                                                                        Imagebase:0x8a0000
                                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                                                        Start time:22:53:22
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\cred64.dll, Main
                                                                                                                                                                                                                                                        Imagebase:0x7ff68b080000
                                                                                                                                                                                                                                                        File size:71'680 bytes
                                                                                                                                                                                                                                                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                                                        Start time:22:53:23
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\netsh.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:netsh wlan show profiles
                                                                                                                                                                                                                                                        Imagebase:0x7ff639920000
                                                                                                                                                                                                                                                        File size:96'768 bytes
                                                                                                                                                                                                                                                        MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                                                        Start time:22:53:23
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                        Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                                                        Start time:22:53:24
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
                                                                                                                                                                                                                                                        Imagebase:0x8a0000
                                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                                                        Start time:22:53:24
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:powershell -Command Compress-Archive -Path 'C:\Users\user\AppData\Local\Temp\_Files_\' -DestinationPath 'C:\Users\user\AppData\Local\Temp\246122658369_Desktop.zip' -CompressionLevel Optimal
                                                                                                                                                                                                                                                        Imagebase:0x7ff6e3d50000
                                                                                                                                                                                                                                                        File size:452'608 bytes
                                                                                                                                                                                                                                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                                                        Start time:22:53:25
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                        Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                                                        Start time:22:53:25
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000054001\amert.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000054001\amert.exe"
                                                                                                                                                                                                                                                        Imagebase:0x6a0000
                                                                                                                                                                                                                                                        File size:1'859'584 bytes
                                                                                                                                                                                                                                                        MD5 hash:47786A32E7A47031EE41BD1C2EE24B39
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000000B.00000003.2378841431.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                                                        Start time:22:53:28
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe"
                                                                                                                                                                                                                                                        Imagebase:0x8d0000
                                                                                                                                                                                                                                                        File size:1'166'336 bytes
                                                                                                                                                                                                                                                        MD5 hash:34491075D86DBE293DDD347B8F89F590
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                                                        Start time:22:53:29
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                                                                                                                                                                                                                                        Imagebase:0x7ff684c40000
                                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                                                                                        Start time:22:53:29
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                                                        Imagebase:0x7ff7403e0000
                                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                                                                        Start time:22:53:29
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                                                                                                                                                                                                                                        Imagebase:0x7ff684c40000
                                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                                                                        Start time:22:53:33
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe"
                                                                                                                                                                                                                                                        Imagebase:0xc10000
                                                                                                                                                                                                                                                        File size:2'310'656 bytes
                                                                                                                                                                                                                                                        MD5 hash:FDA558788F4A8C86423D97EE694671FC
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000003.2443781465.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2671676369.00000000013E7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000002.2676484710.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000003.2567061812.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000003.2567508830.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000003.2567508830.00000000079B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000002.2676382409.00000000079B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000011.00000002.2676382409.00000000079B7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000003.2566711437.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000003.2567220564.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000003.2566883386.00000000079FA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000002.2670373091.0000000000C11000.00000040.00000001.01000000.00000012.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                                                                                        Start time:22:53:35
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        Imagebase:0xce0000
                                                                                                                                                                                                                                                        File size:1'859'584 bytes
                                                                                                                                                                                                                                                        MD5 hash:47786A32E7A47031EE41BD1C2EE24B39
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000012.00000003.2481957933.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 00000012.00000002.2529830528.0000000000CE1000.00000040.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:20
                                                                                                                                                                                                                                                        Start time:22:53:37
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5268 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                                                                                                                                                                                                                                        Imagebase:0x7ff684c40000
                                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:21
                                                                                                                                                                                                                                                        Start time:22:53:37
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                                                                                                                                                                                                                                        Imagebase:0x7ff684c40000
                                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:22
                                                                                                                                                                                                                                                        Start time:22:53:37
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe"
                                                                                                                                                                                                                                                        Imagebase:
                                                                                                                                                                                                                                                        File size:3'034'624 bytes
                                                                                                                                                                                                                                                        MD5 hash:A599E020F718CF8C8F2C4CBC4DD53A20
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                                                                                        Start time:22:53:38
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                                                                                                                        Imagebase:0x7a0000
                                                                                                                                                                                                                                                        File size:187'904 bytes
                                                                                                                                                                                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                                                                                        Start time:22:53:38
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                        Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                                                                                        Start time:22:53:38
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                                                                                                                        Imagebase:0x7a0000
                                                                                                                                                                                                                                                        File size:187'904 bytes
                                                                                                                                                                                                                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                                                                        Start time:22:53:38
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                        Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                                                                                        Start time:22:53:39
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe"
                                                                                                                                                                                                                                                        Imagebase:0x8d0000
                                                                                                                                                                                                                                                        File size:1'166'336 bytes
                                                                                                                                                                                                                                                        MD5 hash:34491075D86DBE293DDD347B8F89F590
                                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                                                                                        Start time:22:53:39
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                                                                                                                                                                                                                                        Imagebase:0x7ff684c40000
                                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                                                                                        Start time:22:53:40
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2080 --field-trial-handle=2008,i,7358717374769390442,8105426175949255574,262144 /prefetch:8
                                                                                                                                                                                                                                                        Imagebase:0x7ff684c40000
                                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:30
                                                                                                                                                                                                                                                        Start time:22:53:40
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        Imagebase:0x410000
                                                                                                                                                                                                                                                        File size:2'310'656 bytes
                                                                                                                                                                                                                                                        MD5 hash:FDA558788F4A8C86423D97EE694671FC
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000002.2745944296.00000000012E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001E.00000003.2651044580.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001E.00000003.2651935051.0000000007B1B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001E.00000003.2651686568.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001E.00000002.2758476389.0000000007B23000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001E.00000002.2743444356.0000000000411000.00000040.00000001.01000000.00000014.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001E.00000003.2511709455.0000000004E60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001E.00000003.2651321951.0000000007B09000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                                                                                        Start time:22:53:40
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                                                                                                                        Imagebase:0x410000
                                                                                                                                                                                                                                                        File size:2'310'656 bytes
                                                                                                                                                                                                                                                        MD5 hash:FDA558788F4A8C86423D97EE694671FC
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001F.00000002.2747382681.0000000000411000.00000040.00000001.01000000.00000014.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001F.00000002.2761794981.0000000007970000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000001F.00000003.2530726910.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001F.00000002.2750462233.0000000000F9D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                                                                                        Start time:22:53:45
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3592 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                                                                                                                                                                                                                                        Imagebase:0x7ff684c40000
                                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                                                                                        Start time:22:53:47
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000056001\a14d081f84.exe"
                                                                                                                                                                                                                                                        Imagebase:0xc10000
                                                                                                                                                                                                                                                        File size:2'310'656 bytes
                                                                                                                                                                                                                                                        MD5 hash:FDA558788F4A8C86423D97EE694671FC
                                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000021.00000002.2679394212.0000000000C11000.00000040.00000001.01000000.00000012.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000021.00000003.2577880849.0000000004C50000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:34
                                                                                                                                                                                                                                                        Start time:22:53:50
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                                                                        Imagebase:0x7ff7403e0000
                                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:35
                                                                                                                                                                                                                                                        Start time:22:53:51
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1456 -ip 1456
                                                                                                                                                                                                                                                        Imagebase:0x3f0000
                                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:36
                                                                                                                                                                                                                                                        Start time:22:53:51
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1456 -s 2108
                                                                                                                                                                                                                                                        Imagebase:0x3f0000
                                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:37
                                                                                                                                                                                                                                                        Start time:22:53:53
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1612 --field-trial-handle=2212,i,10105345457242715727,1817496549640985262,262144 /prefetch:8
                                                                                                                                                                                                                                                        Imagebase:0x7ff684c40000
                                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:38
                                                                                                                                                                                                                                                        Start time:22:53:56
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                                                                                                                                                        Imagebase:0x580000
                                                                                                                                                                                                                                                        File size:2'310'656 bytes
                                                                                                                                                                                                                                                        MD5 hash:FDA558788F4A8C86423D97EE694671FC
                                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000026.00000002.2763346512.0000000000581000.00000040.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000026.00000003.2664446701.0000000004CC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:39
                                                                                                                                                                                                                                                        Start time:22:53:58
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 8912 -ip 8912
                                                                                                                                                                                                                                                        Imagebase:0x3f0000
                                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:40
                                                                                                                                                                                                                                                        Start time:22:53:59
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8912 -s 2112
                                                                                                                                                                                                                                                        Imagebase:0x3f0000
                                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:41
                                                                                                                                                                                                                                                        Start time:22:53:59
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 8740 -ip 8740
                                                                                                                                                                                                                                                        Imagebase:0x3f0000
                                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:42
                                                                                                                                                                                                                                                        Start time:22:54:00
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                                                        File size:3'034'624 bytes
                                                                                                                                                                                                                                                        MD5 hash:A599E020F718CF8C8F2C4CBC4DD53A20
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002A.00000003.2763648199.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002A.00000002.2805100586.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:43
                                                                                                                                                                                                                                                        Start time:22:54:00
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\4d0ab15804\chrosha.exe
                                                                                                                                                                                                                                                        Imagebase:0xce0000
                                                                                                                                                                                                                                                        File size:1'859'584 bytes
                                                                                                                                                                                                                                                        MD5 hash:47786A32E7A47031EE41BD1C2EE24B39
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002B.00000003.2730670140.00000000049D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        • Rule: JoeSecurity_Amadey_2, Description: Yara detected Amadey\'s stealer DLL, Source: 0000002B.00000002.3604593284.0000000000CE1000.00000040.00000001.01000000.00000013.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:44
                                                                                                                                                                                                                                                        Start time:22:54:00
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8740 -s 2060
                                                                                                                                                                                                                                                        Imagebase:0x3f0000
                                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:45
                                                                                                                                                                                                                                                        Start time:22:54:04
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000055001\fb1076712b.exe"
                                                                                                                                                                                                                                                        Imagebase:0x8d0000
                                                                                                                                                                                                                                                        File size:1'166'336 bytes
                                                                                                                                                                                                                                                        MD5 hash:34491075D86DBE293DDD347B8F89F590
                                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:49
                                                                                                                                                                                                                                                        Start time:22:54:05
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com/account
                                                                                                                                                                                                                                                        Imagebase:0x7ff684c40000
                                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:50
                                                                                                                                                                                                                                                        Start time:22:54:05
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=2004,i,17688205100475661311,15377141121242979989,262144 /prefetch:8
                                                                                                                                                                                                                                                        Imagebase:0x7ff684c40000
                                                                                                                                                                                                                                                        File size:3'242'272 bytes
                                                                                                                                                                                                                                                        MD5 hash:5BBFA6CBDF4C254EB368D534F9E23C92
                                                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:51
                                                                                                                                                                                                                                                        Start time:22:54:07
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\1000147001\swiiiii.exe"
                                                                                                                                                                                                                                                        Imagebase:0xb0000
                                                                                                                                                                                                                                                        File size:329'352 bytes
                                                                                                                                                                                                                                                        MD5 hash:1C7D0F34BB1D85B5D2C01367CC8F62EF
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                                        • Detection: 92%, ReversingLabs
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:52
                                                                                                                                                                                                                                                        Start time:22:54:07
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                        Imagebase:0x7ff66e660000
                                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:53
                                                                                                                                                                                                                                                        Start time:22:54:07
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                                                                                                                                                                                                                                        Imagebase:0x8a0000
                                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:54
                                                                                                                                                                                                                                                        Start time:22:54:07
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                                                                                                                                                                                                                                        Imagebase:0xb80000
                                                                                                                                                                                                                                                        File size:65'440 bytes
                                                                                                                                                                                                                                                        MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:55
                                                                                                                                                                                                                                                        Start time:22:54:07
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\System32\rundll32.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\rundll32.exe" C:\Users\user\AppData\Roaming\c1ec479e5342a2\cred64.dll, Main
                                                                                                                                                                                                                                                        Imagebase:0x7ff68b080000
                                                                                                                                                                                                                                                        File size:71'680 bytes
                                                                                                                                                                                                                                                        MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                                        Target ID:56
                                                                                                                                                                                                                                                        Start time:22:54:08
                                                                                                                                                                                                                                                        Start date:18/04/2024
                                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                                        Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 7480 -ip 7480
                                                                                                                                                                                                                                                        Imagebase:0x3f0000
                                                                                                                                                                                                                                                        File size:483'680 bytes
                                                                                                                                                                                                                                                        MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:5.3%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                          Signature Coverage:7.1%
                                                                                                                                                                                                                                                          Total number of Nodes:425
                                                                                                                                                                                                                                                          Total number of Limit Nodes:11
                                                                                                                                                                                                                                                          execution_graph 10114 1de75c 10116 1de76c 10114->10116 10115 1de814 10116->10115 10117 1de810 RtlWakeAllConditionVariable 10116->10117 10069 1c3e9f 10070 1c3ead 10069->10070 10072 1c3eb6 10069->10072 10071 1c2310 4 API calls 10070->10071 10071->10072 9764 1c205a 9767 1ddd8c 9764->9767 9766 1c2064 9768 1ddd9c 9767->9768 9769 1dddb4 9767->9769 9768->9769 9771 1de64e 9768->9771 9769->9766 9772 1de365 __Mtx_init_in_situ InitializeCriticalSectionEx 9771->9772 9773 1de660 9772->9773 9773->9768 9686 1ca9d0 9687 1caa22 9686->9687 9688 1cabdd CoInitialize 9687->9688 9689 1cac2a shared_ptr std::invalid_argument::invalid_argument 9688->9689 9774 1c8450 9776 1c85ba 9774->9776 9777 1c84a8 shared_ptr 9774->9777 9775 1c5d40 2 API calls 9775->9777 9777->9775 9777->9776 9805 1cd8d0 recv 9806 1cd932 recv 9805->9806 9807 1cd967 recv 9806->9807 9808 1cd9a1 9807->9808 9809 1cdac3 std::invalid_argument::invalid_argument 9808->9809 9814 1ddd3c 9808->9814 9824 1ddae2 9814->9824 9816 1cdafe 9817 1dd8fa 9816->9817 9818 1dd904 9817->9818 9822 1dd922 ___std_exception_copy 9817->9822 9819 1dd913 9818->9819 9818->9822 9841 1dd927 9819->9841 9844 1f7c7d 9822->9844 9825 1ddb38 9824->9825 9827 1ddb0a std::invalid_argument::invalid_argument 9824->9827 9825->9827 9830 1de5fb 9825->9830 9827->9816 9828 1ddb8d __Xtime_diff_to_millis2 9828->9827 9829 1de5fb _xtime_get GetSystemTimePreciseAsFileTime 9828->9829 9829->9828 9831 1de60a 9830->9831 9833 1de617 __aulldvrm 9830->9833 9831->9833 9834 1de5d4 9831->9834 9833->9828 9837 1de27a 9834->9837 9838 1de28b GetSystemTimePreciseAsFileTime 9837->9838 9840 1de297 9837->9840 9838->9840 9840->9833 9847 1c29e0 9841->9847 9843 1dd93e Concurrency::cancel_current_task 9845 1f7b57 3 API calls 9844->9845 9846 1f7c8e 9845->9846 9850 1dd56f 9847->9850 9849 1c29f4 __dosmaperr ___free_lconv_mon 9849->9843 9853 1de2c1 9850->9853 9854 1de2cf InitOnceExecuteOnce 9853->9854 9856 1dd582 9853->9856 9854->9856 9856->9849 9959 1c2a10 9960 1c2a1c 9959->9960 9961 1c2a1a 9959->9961 9962 1dd8fa 4 API calls 9960->9962 9963 1c2a22 9962->9963 10073 1c2a90 10074 1c2ace 10073->10074 10075 1dce8b TpReleaseWork 10074->10075 10076 1c2adb shared_ptr std::invalid_argument::invalid_argument 10075->10076 10127 1c3b8e 10128 1c3b98 10127->10128 10129 1c2310 4 API calls 10128->10129 10130 1c3ba5 10128->10130 10129->10130 9598 1c5dc8 9600 1c5dd6 shared_ptr ___std_exception_copy 9598->9600 9599 1c5e5c shared_ptr std::invalid_argument::invalid_argument 9600->9599 9601 1c5ee4 RegOpenKeyExA 9600->9601 9602 1c5f41 RegCloseKey 9601->9602 9604 1c5f67 9602->9604 9603 1c5fe7 shared_ptr std::invalid_argument::invalid_argument 9604->9603 9613 1c5d40 9604->9613 9606 1c622c 9607 1c5d40 2 API calls 9606->9607 9608 1c6231 shared_ptr 9607->9608 9609 1c5d40 2 API calls 9608->9609 9612 1c63d2 shared_ptr std::invalid_argument::invalid_argument 9608->9612 9611 1c62bd shared_ptr 9609->9611 9610 1c5d40 2 API calls 9610->9611 9611->9610 9611->9612 9615 1c5d84 ___std_exception_copy 9613->9615 9614 1c5e5c shared_ptr std::invalid_argument::invalid_argument 9614->9606 9615->9614 9616 1c5ee4 RegOpenKeyExA 9615->9616 9617 1c5f41 RegCloseKey 9616->9617 9618 1c5f67 shared_ptr std::invalid_argument::invalid_argument 9617->9618 9618->9606 9866 1c9547 9867 1c9550 shared_ptr 9866->9867 9868 1ca423 Sleep CreateMutexA 9867->9868 9870 1c961b shared_ptr 9867->9870 9869 1ca45e 9868->9869 10123 1c3b47 10124 1c3b51 10123->10124 10125 1c31d0 5 API calls 10124->10125 10126 1c3b5f 10124->10126 10125->10126 9857 1c2d00 9858 1c2d28 9857->9858 9859 1ddd1b __Mtx_init_in_situ 2 API calls 9858->9859 9860 1c2d33 9859->9860 9964 1c8600 9965 1c864c 9964->9965 9966 1c5d40 2 API calls 9965->9966 9967 1c8667 shared_ptr std::invalid_argument::invalid_argument 9966->9967 10077 1c8280 10078 1c8288 GetFileAttributesA 10077->10078 10079 1c8286 10077->10079 10080 1c8294 10078->10080 10079->10078 9690 1c8282 9691 1c8288 GetFileAttributesA 9690->9691 9692 1c8286 9690->9692 9693 1c8294 9691->9693 9692->9691 9619 1f7cb9 9622 1f7b57 9619->9622 9623 1f7b65 9622->9623 9624 1f7bb0 9623->9624 9627 1f7bbb 9623->9627 9626 1f7bba 9633 1fb922 GetPEB 9627->9633 9629 1f7bc5 9630 1f7bda 9629->9630 9631 1f7bca GetPEB 9629->9631 9632 1f7bf2 ExitProcess 9630->9632 9631->9630 9634 1fb93c 9633->9634 9634->9629 9703 1c2034 9706 1ddd1b 9703->9706 9705 1c2040 9709 1dda65 9706->9709 9708 1ddd2b 9708->9705 9710 1dda7b 9709->9710 9711 1dda71 9709->9711 9710->9708 9712 1dda4e 9711->9712 9713 1dda2e 9711->9713 9722 1de39a 9712->9722 9713->9710 9718 1de365 9713->9718 9716 1dda60 9716->9708 9719 1dda47 9718->9719 9720 1de373 InitializeCriticalSectionEx 9718->9720 9719->9708 9720->9719 9723 1de3af RtlInitializeConditionVariable 9722->9723 9723->9716 9871 1c4176 9874 1c2310 9871->9874 9873 1c417f 9875 1c2324 9874->9875 9878 1dcbbd 9875->9878 9886 1f517a 9878->9886 9881 1dcc35 ___std_exception_copy 9893 1dc83d 9881->9893 9882 1dcc28 9889 1dc5e6 9882->9889 9885 1c232a 9885->9873 9897 1f65b9 9886->9897 9888 1dcbe5 9888->9881 9888->9882 9888->9885 9890 1dc62f ___std_exception_copy 9889->9890 9892 1dc642 shared_ptr 9890->9892 9901 1dca2f 9890->9901 9892->9885 9894 1dc868 9893->9894 9896 1dc871 shared_ptr 9893->9896 9895 1dca2f InitOnceExecuteOnce 9894->9895 9895->9896 9896->9885 9899 1f65be ___std_exception_copy 9897->9899 9898 1f7c7d 3 API calls 9900 1fa252 9898->9900 9899->9888 9899->9898 9902 1dd56f InitOnceExecuteOnce 9901->9902 9904 1dca71 9902->9904 9903 1dca78 9903->9892 9904->9903 9905 1dd56f InitOnceExecuteOnce 9904->9905 9906 1dcaf1 9905->9906 9906->9892 9783 1c2070 9784 1ddd8c InitializeCriticalSectionEx 9783->9784 9785 1c207a 9784->9785 9911 1c41b0 9914 1c39c0 9911->9914 9913 1c41bb shared_ptr 9915 1c39f9 9914->9915 9918 1c3b38 9915->9918 9919 1c3a39 __Cnd_destroy_in_situ shared_ptr __Mtx_destroy_in_situ 9915->9919 9921 1c31d0 9915->9921 9917 1c31d0 5 API calls 9920 1c3b5f 9917->9920 9918->9917 9918->9920 9919->9913 9920->9913 9922 1ddd3c GetSystemTimePreciseAsFileTime 9921->9922 9929 1c3214 9922->9929 9923 1c326b 9924 1dd8fa 4 API calls 9923->9924 9925 1c323c __Mtx_unlock 9924->9925 9927 1dd8fa 4 API calls 9925->9927 9930 1c3250 std::invalid_argument::invalid_argument 9925->9930 9928 1c3277 9927->9928 9931 1ddd3c GetSystemTimePreciseAsFileTime 9928->9931 9929->9923 9929->9925 9940 1dd3dc 9929->9940 9930->9918 9932 1c32af 9931->9932 9933 1dd8fa 4 API calls 9932->9933 9934 1c32b6 __Cnd_broadcast 9932->9934 9933->9934 9935 1dd8fa 4 API calls 9934->9935 9936 1c32d7 __Mtx_unlock 9934->9936 9935->9936 9937 1dd8fa 4 API calls 9936->9937 9938 1c32eb 9936->9938 9939 1c330e 9937->9939 9938->9918 9939->9918 9943 1dd202 9940->9943 9942 1dd3ec 9942->9929 9944 1dd22c 9943->9944 9945 1de5fb _xtime_get GetSystemTimePreciseAsFileTime 9944->9945 9948 1dd234 __Xtime_diff_to_millis2 std::invalid_argument::invalid_argument 9944->9948 9946 1dd25f __Xtime_diff_to_millis2 9945->9946 9947 1de5fb _xtime_get GetSystemTimePreciseAsFileTime 9946->9947 9946->9948 9947->9948 9948->9942 10099 1c7330 10100 1c7371 shared_ptr 10099->10100 10101 1c5d40 2 API calls 10100->10101 10103 1c7403 shared_ptr 10100->10103 10101->10103 10102 1c5d40 2 API calls 10105 1c7563 10102->10105 10103->10102 10104 1c74d3 shared_ptr std::invalid_argument::invalid_argument 10103->10104 10106 1c5d40 2 API calls 10105->10106 10107 1c7595 shared_ptr 10106->10107 10108 1c5d40 2 API calls 10107->10108 10113 1c7625 shared_ptr std::invalid_argument::invalid_argument 10107->10113 10109 1c76fd 10108->10109 10110 1c5d40 2 API calls 10109->10110 10111 1c7720 10110->10111 10112 1c5d40 2 API calls 10111->10112 10112->10113 9786 1ca4a4 9795 1c8d00 9786->9795 9788 1ca4b3 shared_ptr 9789 1c5d40 2 API calls 9788->9789 9794 1ca563 shared_ptr std::invalid_argument::invalid_argument 9788->9794 9790 1ca515 9789->9790 9791 1c5d40 2 API calls 9790->9791 9792 1ca53d 9791->9792 9793 1c5d40 2 API calls 9792->9793 9793->9794 9798 1c8d54 shared_ptr 9795->9798 9796 1c5d40 2 API calls 9796->9798 9797 1c9013 shared_ptr std::invalid_argument::invalid_argument 9797->9788 9798->9796 9803 1c8f1f shared_ptr 9798->9803 9799 1c5d40 2 API calls 9799->9803 9800 1c9385 shared_ptr std::invalid_argument::invalid_argument 9800->9788 9801 1c926f shared_ptr 9801->9800 9802 1c5d40 2 API calls 9801->9802 9804 1c93f7 shared_ptr ___std_exception_copy std::invalid_argument::invalid_argument 9802->9804 9803->9797 9803->9799 9803->9801 9804->9788 9635 1ca326 9636 1ca340 9635->9636 9637 1ca362 shared_ptr 9635->9637 9636->9637 9638 1ca41e 9636->9638 9642 1ca370 9637->9642 9651 1c78b0 9637->9651 9641 1ca423 Sleep CreateMutexA 9638->9641 9640 1ca37e 9640->9642 9643 1c78b0 3 API calls 9640->9643 9644 1ca45e 9641->9644 9645 1ca388 9643->9645 9645->9642 9646 1c78b0 3 API calls 9645->9646 9647 1ca392 9646->9647 9647->9642 9648 1c78b0 3 API calls 9647->9648 9649 1ca39c 9648->9649 9649->9642 9650 1c78b0 3 API calls 9649->9650 9650->9642 9652 1c7916 ___std_exception_copy 9651->9652 9653 1c5d40 2 API calls 9652->9653 9672 1c7a68 shared_ptr std::invalid_argument::invalid_argument 9652->9672 9654 1c7952 9653->9654 9655 1c5d40 2 API calls 9654->9655 9657 1c797f shared_ptr 9655->9657 9656 1c7a53 GetNativeSystemInfo 9658 1c7a57 9656->9658 9657->9656 9657->9658 9669 1c7b06 ___std_exception_copy 9657->9669 9659 1c7abf 9658->9659 9660 1c7b94 9658->9660 9658->9672 9661 1c5d40 2 API calls 9659->9661 9662 1c5d40 2 API calls 9660->9662 9663 1c7ae7 9661->9663 9664 1c7bc7 9662->9664 9666 1c5d40 2 API calls 9663->9666 9667 1c5d40 2 API calls 9664->9667 9665 1c5d40 2 API calls 9668 1c7ef7 9665->9668 9666->9669 9671 1c7be6 9667->9671 9670 1c5d40 2 API calls 9668->9670 9669->9665 9669->9672 9670->9672 9673 1c5d40 2 API calls 9671->9673 9672->9640 9674 1c7c19 9673->9674 9675 1c5d40 2 API calls 9674->9675 9676 1c7c6a 9675->9676 9677 1c5d40 2 API calls 9676->9677 9678 1c7c89 9677->9678 9679 1c5d40 2 API calls 9678->9679 9680 1c7cbc 9679->9680 9681 1c5d40 2 API calls 9680->9681 9682 1c7d0d 9681->9682 9683 1c5d40 2 API calls 9682->9683 9684 1c7d2c 9683->9684 9685 1c5d40 2 API calls 9684->9685 9685->9672 10131 1de7a6 10133 1de7b6 10131->10133 10132 1de7bf 10133->10132 10135 1de82e 10133->10135 10136 1de83c SleepConditionVariableCS 10135->10136 10138 1de855 10135->10138 10136->10138 10138->10133 9724 1c4020 9725 1c406a 9724->9725 9727 1c40b2 std::invalid_argument::invalid_argument 9725->9727 9728 1c3de0 9725->9728 9729 1c3e48 9728->9729 9733 1c3e1e 9728->9733 9730 1c3e58 9729->9730 9734 1c2b00 9729->9734 9730->9727 9733->9727 9735 1c2b0e 9734->9735 9741 1dced7 9735->9741 9737 1c2b42 9738 1c2b49 9737->9738 9747 1c2b80 9737->9747 9738->9727 9740 1c2b58 Concurrency::cancel_current_task 9742 1dcee4 9741->9742 9746 1dcf03 Concurrency::details::_Reschedule_chore 9741->9746 9750 1de207 9742->9750 9744 1dcef4 9744->9746 9752 1dceae 9744->9752 9746->9737 9758 1dce8b 9747->9758 9749 1c2bb2 shared_ptr 9749->9740 9751 1de222 CreateThreadpoolWork 9750->9751 9751->9744 9753 1dceb7 Concurrency::details::_Reschedule_chore 9752->9753 9756 1de45c 9753->9756 9755 1dced1 9755->9746 9757 1de471 TpPostWork 9756->9757 9757->9755 9759 1dcea7 9758->9759 9760 1dce97 9758->9760 9759->9749 9760->9759 9762 1de108 9760->9762 9763 1de11d TpReleaseWork 9762->9763 9763->9759 10086 1c3ee0 10088 1c3f22 10086->10088 10087 1c3f35 std::invalid_argument::invalid_argument 10088->10087 10089 1c3f8c 10088->10089 10090 1c3fd2 10088->10090 10093 1c34e0 10089->10093 10091 1c3de0 3 API calls 10090->10091 10091->10087 10094 1c3516 10093->10094 10095 1c2be0 InitOnceExecuteOnce 10094->10095 10098 1c354e Concurrency::cancel_current_task shared_ptr std::invalid_argument::invalid_argument 10094->10098 10096 1c359e 10095->10096 10097 1c2b00 3 API calls 10096->10097 10096->10098 10097->10098 10098->10087 10139 1c1fa0 10140 1ddd1b __Mtx_init_in_situ 2 API calls 10139->10140 10141 1c1fac 10140->10141 9973 1d9e60 9974 1d9eba ___std_exception_copy 9973->9974 9980 1db240 9974->9980 9978 1d9f69 std::_Throw_future_error 9979 1d9efc std::invalid_argument::invalid_argument 9990 1db580 9980->9990 9982 1db275 9994 1c2be0 9982->9994 9984 1db2a6 10000 1db600 9984->10000 9986 1d9ee4 9986->9979 9987 1c42f0 9986->9987 9988 1dd56f InitOnceExecuteOnce 9987->9988 9989 1c430a 9988->9989 9989->9978 9991 1db59c 9990->9991 9992 1ddd1b __Mtx_init_in_situ 2 API calls 9991->9992 9993 1db5a7 9992->9993 9993->9982 9995 1c2c1d 9994->9995 9996 1dd56f InitOnceExecuteOnce 9995->9996 9997 1c2c46 9996->9997 9998 1c2c51 std::invalid_argument::invalid_argument 9997->9998 10005 1dd587 9997->10005 9998->9984 10003 1db67f shared_ptr 10000->10003 10002 1db6e8 10003->10002 10015 1db8a0 10003->10015 10004 1db6cb 10004->9986 10006 1dd593 Concurrency::cancel_current_task 10005->10006 10007 1dd5fa 10006->10007 10008 1dd603 10006->10008 10012 1dd50f 10007->10012 10010 1c29e0 InitOnceExecuteOnce 10008->10010 10011 1dd5ff 10010->10011 10011->9998 10013 1de2c1 InitOnceExecuteOnce 10012->10013 10014 1dd527 10013->10014 10014->10011 10016 1db920 10015->10016 10022 1d8800 10016->10022 10018 1db95c shared_ptr 10019 1dbb4e shared_ptr 10018->10019 10020 1c3de0 3 API calls 10018->10020 10019->10004 10021 1dbb36 10020->10021 10021->10004 10023 1d8841 10022->10023 10030 1c3870 10023->10030 10025 1d8a76 std::invalid_argument::invalid_argument 10025->10018 10026 1d88dd ___std_exception_copy 10026->10025 10027 1ddd1b __Mtx_init_in_situ 2 API calls 10026->10027 10028 1d8a31 10027->10028 10035 1c2dc0 10028->10035 10031 1ddd1b __Mtx_init_in_situ 2 API calls 10030->10031 10032 1c38a7 10031->10032 10033 1ddd1b __Mtx_init_in_situ 2 API calls 10032->10033 10034 1c38e6 10033->10034 10034->10026 10036 1c2e06 10035->10036 10039 1c2e6f 10035->10039 10037 1ddd3c GetSystemTimePreciseAsFileTime 10036->10037 10038 1c2e12 10037->10038 10041 1c2f1e 10038->10041 10044 1c2e1d __Mtx_unlock 10038->10044 10040 1c2eef 10039->10040 10046 1ddd3c GetSystemTimePreciseAsFileTime 10039->10046 10040->10025 10042 1dd8fa 4 API calls 10041->10042 10043 1c2f24 10042->10043 10045 1dd8fa 4 API calls 10043->10045 10044->10039 10044->10043 10047 1c2eb9 10045->10047 10046->10047 10048 1dd8fa 4 API calls 10047->10048 10049 1c2ec0 __Mtx_unlock 10047->10049 10048->10049 10050 1dd8fa 4 API calls 10049->10050 10051 1c2ed8 __Cnd_broadcast 10049->10051 10050->10051 10051->10040 10052 1dd8fa 4 API calls 10051->10052 10053 1c2f3c 10052->10053 10054 1ddd3c GetSystemTimePreciseAsFileTime 10053->10054 10064 1c2f80 shared_ptr __Mtx_unlock 10054->10064 10055 1c30c5 10056 1dd8fa 4 API calls 10055->10056 10057 1c30cb 10056->10057 10058 1dd8fa 4 API calls 10057->10058 10059 1c30d1 10058->10059 10060 1dd8fa 4 API calls 10059->10060 10066 1c3093 __Mtx_unlock 10060->10066 10061 1c30a7 std::invalid_argument::invalid_argument 10061->10025 10062 1dd8fa 4 API calls 10063 1c30dd 10062->10063 10064->10055 10064->10057 10064->10061 10065 1ddd3c GetSystemTimePreciseAsFileTime 10064->10065 10067 1c305f 10065->10067 10066->10061 10066->10062 10067->10055 10067->10059 10067->10066 10068 1dd3dc GetSystemTimePreciseAsFileTime 10067->10068 10068->10067

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 001C5DC8 Relevance: 20.6, APIs: 3, Strings: 8, Instructions: 1325registryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 0 1c5dc8-1c5dd4 1 1c5dea-1c5e3c call 1decf8 0->1 2 1c5dd6-1c5de4 0->2 13 1c5e3e-1c5e4a 1->13 14 1c5e66-1c5e81 call 1de681 1->14 2->1 3 1c5e82 2->3 5 1c5e87-1c5f64 call 1f82fa call 1f5780 RegOpenKeyExA RegCloseKey 3->5 6 1c5e82 call 1f82fa 3->6 24 1c5f67-1c5f6c 5->24 6->5 17 1c5e5c-1c5e63 call 1decf8 13->17 18 1c5e4c-1c5e5a 13->18 17->14 18->5 18->17 24->24 25 1c5f6e-1c5fc7 call 1d9750 24->25 29 1c5fc9-1c5fd5 25->29 30 1c5ff1-1c600c call 1de681 25->30 31 1c5fe7-1c5fee call 1decf8 29->31 32 1c5fd7-1c5fe5 29->32 31->30 32->31 34 1c600d-1c611e call 1f82fa 32->34 45 1c6148-1c6155 call 1de681 34->45 46 1c6120-1c612c 34->46 47 1c613e-1c6145 call 1decf8 46->47 48 1c612e-1c613c 46->48 47->45 48->47 50 1c6156-1c6238 call 1f82fa call 1d9090 call 1c5d40 48->50 65 1c623c-1c625b call 1c21c0 50->65 66 1c623a 50->66 69 1c628c-1c6292 65->69 70 1c625d-1c626c 65->70 66->65 73 1c6295-1c629a 69->73 71 1c626e-1c627c 70->71 72 1c6282-1c6289 call 1decf8 70->72 71->72 74 1c64b7 call 1f82fa 71->74 72->69 73->73 76 1c629c-1c62c4 call 1d9090 call 1c5d40 73->76 81 1c64bc call 1f82fa 74->81 87 1c62c8-1c62e9 call 1c21c0 76->87 88 1c62c6 76->88 84 1c64c1-1c6542 call 1f82fa 81->84 92 1c6548 84->92 93 1c682a-1c683e 84->93 96 1c631a-1c632e 87->96 97 1c62eb-1c62fa 87->97 88->87 98 1c6550-1c6564 92->98 94 1c6844-1c6869 call 1d9750 93->94 95 1c68e3 call 1d9890 93->95 109 1c686b-1c6877 94->109 110 1c6893-1c6899 94->110 105 1c68e8-1c6a19 call 1f82fa call 1da170 call 1d9750 95->105 114 1c63d8-1c63fc 96->114 115 1c6334-1c633a 96->115 101 1c62fc-1c630a 97->101 102 1c6310-1c6317 call 1decf8 97->102 98->95 103 1c656a-1c65b4 call 1d9750 call 1dab00 98->103 101->81 101->102 102->96 135 1c66e9-1c6703 103->135 136 1c65ba-1c65d7 call 1dab00 103->136 200 1c6a4b-1c6a5d 105->200 201 1c6a1b-1c6a21 105->201 116 1c6889-1c6890 call 1decf8 109->116 117 1c6879-1c6887 109->117 119 1c689b-1c68a7 110->119 120 1c68c3-1c68e2 call 1de681 110->120 123 1c6400-1c6405 114->123 122 1c6340-1c636d call 1d9090 call 1c5d40 115->122 116->110 117->105 117->116 127 1c68b9-1c68c0 call 1decf8 119->127 128 1c68a9-1c68b7 119->128 162 1c636f 122->162 163 1c6371-1c6398 call 1c21c0 122->163 123->123 124 1c6407-1c646c call 1d9750 * 2 123->124 157 1c646e-1c647d 124->157 158 1c6499-1c64b6 call 1de681 124->158 127->120 128->105 128->127 135->95 141 1c6709-1c6765 call 1d9750 call 1da910 135->141 136->135 154 1c65dd-1c65fa call 1dab00 136->154 174 1c679c-1c67af 141->174 175 1c6767-1c6773 141->175 154->135 169 1c6600-1c661d call 1dab00 154->169 165 1c648f-1c6496 call 1decf8 157->165 166 1c647f-1c648d 157->166 162->163 187 1c63c9-1c63cc 163->187 188 1c639a-1c63a9 163->188 165->158 166->84 166->165 169->135 194 1c6623-1c6640 call 1dab00 169->194 177 1c67dd-1c67e4 174->177 178 1c67b1-1c67bd 174->178 182 1c6789-1c6797 call 1decf8 175->182 183 1c6775-1c6783 175->183 189 1c680f-1c681b 177->189 190 1c67e6-1c67ef 177->190 185 1c67bf-1c67cd 178->185 186 1c67d3-1c67da call 1decf8 178->186 182->174 183->105 183->182 185->105 185->186 186->177 187->122 202 1c63d2 187->202 196 1c63bf-1c63c6 call 1decf8 188->196 197 1c63ab-1c63b9 188->197 189->98 203 1c6821-1c6827 189->203 198 1c6805-1c680c call 1decf8 190->198 199 1c67f1-1c67ff 190->199 194->135 214 1c6646-1c6663 call 1dab00 194->214 196->187 197->74 197->196 198->189 199->105 199->198 201->200 207 1c6a23-1c6a2f 201->207 202->114 203->93 211 1c6a41-1c6a48 call 1decf8 207->211 212 1c6a31-1c6a3f 207->212 211->200 212->211 215 1c6a5e-1c6a63 call 1f82fa 212->215 214->135 222 1c6669-1c6686 call 1dab00 214->222 222->135 225 1c6688-1c66a5 call 1dab00 222->225 225->135 228 1c66a7-1c66c4 call 1dab00 225->228 228->135 231 1c66c6-1c66e3 call 1dab00 228->231 231->135 231->177
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000001,?), ref: 001C5F0D
                                                                                                                                                                                                                                                          • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 001C5F3B
                                                                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?), ref: 001C5F47
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                                          • String ID: $($NtUnmapViewOfSection$VUUU$h R"$invalid stoi argument$ntdll.dll$stoi argument out of range
                                                                                                                                                                                                                                                          • API String ID: 3677997916-1627128469
                                                                                                                                                                                                                                                          • Opcode ID: d5a4bbb8008e11d4a28467d13bb568cecfc6a26065d23c9f495af8837fa0e0d5
                                                                                                                                                                                                                                                          • Instruction ID: e6bb63775b6464dc14fe713d49f73657879c5bb7844610dfaf9ca09a7f69644b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5a4bbb8008e11d4a28467d13bb568cecfc6a26065d23c9f495af8837fa0e0d5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3DA21471A002089BEB18DF68CC85FEEB7B5EFA5304F50416DF905A7281DB75EA80CB95
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001F7BBB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ExitProcess.KERNEL32(?,?,001F7BBA,?,?,?,?,?,001F8C0E), ref: 001F7BF7
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExitProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 621844428-0
                                                                                                                                                                                                                                                          • Opcode ID: 6eca45dc2e69f8992e3d2f24e094edbd91a90618e886b9eab89e4dbdc17fd831
                                                                                                                                                                                                                                                          • Instruction ID: 6bed00bf00ae312c97fd513fdf4cac81251a144dc590428f8dd34b29bd8c1784
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6eca45dc2e69f8992e3d2f24e094edbd91a90618e886b9eab89e4dbdc17fd831
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88E08C3000810CAFCE26BB15CC65EB93B5EEB92354F000820FA0446221CB76EC52C980
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 04A300CA Relevance: .1, Instructions: 122COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2272032124.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_4a30000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8a4574902085cc2b740c140cc45480e9075e135a3ae713840d3791b9504b4ef8
                                                                                                                                                                                                                                                          • Instruction ID: fd05b7b4f47fa839be4ea5f73bdd83c129cabaa350bebe26cab166df3060f253
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a4574902085cc2b740c140cc45480e9075e135a3ae713840d3791b9504b4ef8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C121F3FB38D120BD619288862B155F76A3EE4D77723308036F907DB606F2D41E993171
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001C5D40 Relevance: 3.3, APIs: 2, Instructions: 311COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 361 1c5d40-1c5e3c call 1c5a70 call 1c5b10 call 1c4ad0 370 1c5e3e-1c5e4a 361->370 371 1c5e66-1c5e81 call 1de681 361->371 373 1c5e5c-1c5e63 call 1decf8 370->373 374 1c5e4c-1c5e5a 370->374 373->371 374->373 376 1c5e87-1c5f64 call 1f82fa call 1f5780 RegOpenKeyExA RegCloseKey 374->376 385 1c5f67-1c5f6c 376->385 385->385 386 1c5f6e-1c5fc7 call 1d9750 385->386 390 1c5fc9-1c5fd5 386->390 391 1c5ff1-1c600c call 1de681 386->391 392 1c5fe7-1c5fee call 1decf8 390->392 393 1c5fd7-1c5fe5 390->393 392->391 393->392 395 1c600d-1c611e call 1f82fa 393->395 406 1c6148-1c6155 call 1de681 395->406 407 1c6120-1c612c 395->407 408 1c613e-1c6145 call 1decf8 407->408 409 1c612e-1c613c 407->409 408->406 409->408 411 1c6156-1c6238 call 1f82fa call 1d9090 call 1c5d40 409->411 426 1c623c-1c625b call 1c21c0 411->426 427 1c623a 411->427 430 1c628c-1c6292 426->430 431 1c625d-1c626c 426->431 427->426 434 1c6295-1c629a 430->434 432 1c626e-1c627c 431->432 433 1c6282-1c6289 call 1decf8 431->433 432->433 435 1c64b7 call 1f82fa 432->435 433->430 434->434 437 1c629c-1c62c4 call 1d9090 call 1c5d40 434->437 442 1c64bc call 1f82fa 435->442 448 1c62c8-1c62e9 call 1c21c0 437->448 449 1c62c6 437->449 445 1c64c1-1c6542 call 1f82fa 442->445 453 1c6548 445->453 454 1c682a-1c683e 445->454 457 1c631a-1c632e 448->457 458 1c62eb-1c62fa 448->458 449->448 459 1c6550-1c6564 453->459 455 1c6844-1c6869 call 1d9750 454->455 456 1c68e3 call 1d9890 454->456 470 1c686b-1c6877 455->470 471 1c6893-1c6899 455->471 466 1c68e8-1c6a19 call 1f82fa call 1da170 call 1d9750 456->466 475 1c63d8-1c63fc 457->475 476 1c6334-1c633a 457->476 462 1c62fc-1c630a 458->462 463 1c6310-1c6317 call 1decf8 458->463 459->456 464 1c656a-1c65b4 call 1d9750 call 1dab00 459->464 462->442 462->463 463->457 496 1c66e9-1c6703 464->496 497 1c65ba-1c65d7 call 1dab00 464->497 561 1c6a4b-1c6a5d 466->561 562 1c6a1b-1c6a21 466->562 477 1c6889-1c6890 call 1decf8 470->477 478 1c6879-1c6887 470->478 480 1c689b-1c68a7 471->480 481 1c68c3-1c68e2 call 1de681 471->481 484 1c6400-1c6405 475->484 483 1c6340-1c636d call 1d9090 call 1c5d40 476->483 477->471 478->466 478->477 488 1c68b9-1c68c0 call 1decf8 480->488 489 1c68a9-1c68b7 480->489 523 1c636f 483->523 524 1c6371-1c6398 call 1c21c0 483->524 484->484 485 1c6407-1c646c call 1d9750 * 2 484->485 518 1c646e-1c647d 485->518 519 1c6499-1c64b6 call 1de681 485->519 488->481 489->466 489->488 496->456 502 1c6709-1c6765 call 1d9750 call 1da910 496->502 497->496 515 1c65dd-1c65fa call 1dab00 497->515 535 1c679c-1c67af 502->535 536 1c6767-1c6773 502->536 515->496 530 1c6600-1c661d call 1dab00 515->530 526 1c648f-1c6496 call 1decf8 518->526 527 1c647f-1c648d 518->527 523->524 548 1c63c9-1c63cc 524->548 549 1c639a-1c63a9 524->549 526->519 527->445 527->526 530->496 555 1c6623-1c6640 call 1dab00 530->555 538 1c67dd-1c67e4 535->538 539 1c67b1-1c67bd 535->539 543 1c6789-1c6797 call 1decf8 536->543 544 1c6775-1c6783 536->544 550 1c680f-1c681b 538->550 551 1c67e6-1c67ef 538->551 546 1c67bf-1c67cd 539->546 547 1c67d3-1c67da call 1decf8 539->547 543->535 544->466 544->543 546->466 546->547 547->538 548->483 563 1c63d2 548->563 557 1c63bf-1c63c6 call 1decf8 549->557 558 1c63ab-1c63b9 549->558 550->459 564 1c6821-1c6827 550->564 559 1c6805-1c680c call 1decf8 551->559 560 1c67f1-1c67ff 551->560 555->496 575 1c6646-1c6663 call 1dab00 555->575 557->548 558->435 558->557 559->550 560->466 560->559 562->561 568 1c6a23-1c6a2f 562->568 563->475 564->454 572 1c6a41-1c6a48 call 1decf8 568->572 573 1c6a31-1c6a3f 568->573 572->561 573->572 576 1c6a5e-1c6a63 call 1f82fa 573->576 575->496 583 1c6669-1c6686 call 1dab00 575->583 583->496 586 1c6688-1c66a5 call 1dab00 583->586 586->496 589 1c66a7-1c66c4 call 1dab00 586->589 589->496 592 1c66c6-1c66e3 call 1dab00 589->592 592->496 592->538
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b86eba1aa5c4c1af18a98f40bd77585f476a946c839b038804f5044d43bb3ce4
                                                                                                                                                                                                                                                          • Instruction ID: 5e3740d9db0cdace59122e0b9465d7925a4af550b902e08c1ffff3442e5c5f43
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b86eba1aa5c4c1af18a98f40bd77585f476a946c839b038804f5044d43bb3ce4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C9B104B190020CABEF24DF64CD85FEEBBB9EB54304F50416DF909A7281D774AA84CB95
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001C9675 Relevance: 3.1, APIs: 2, Instructions: 131sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 595 1c9675-1c9695 599 1c9697-1c96a3 595->599 600 1c96c3-1c96df 595->600 601 1c96b9-1c96c0 call 1decf8 599->601 602 1c96a5-1c96b3 599->602 603 1c970d-1c972c 600->603 604 1c96e1-1c96ed 600->604 601->600 602->601 607 1ca3ec 602->607 605 1c972e-1c973a 603->605 606 1c975a-1ca3e6 call 1d9750 603->606 609 1c96ef-1c96fd 604->609 610 1c9703-1c970a call 1decf8 604->610 611 1c973c-1c974a 605->611 612 1c9750-1c9757 call 1decf8 605->612 614 1ca423-1ca466 Sleep CreateMutexA 607->614 615 1ca3ec call 1f82fa 607->615 609->607 609->610 610->603 611->607 611->612 612->606 615->614
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 001CA435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,002251D8), ref: 001CA453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1464230837-0
                                                                                                                                                                                                                                                          • Opcode ID: 39550258ea9f3183c39da8b074bc6cf6cc7e3b7a419ee6b3578275d179829109
                                                                                                                                                                                                                                                          • Instruction ID: 16221060f4afa66134cf889ce28ce6d4cb9978b92110b5143144deebdc93b88a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39550258ea9f3183c39da8b074bc6cf6cc7e3b7a419ee6b3578275d179829109
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 773158717112449BEB18EB78DD9DBADBB62EFE1318F20821CE0159B3D1C775D9808B91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001C9547 Relevance: 3.1, APIs: 2, Instructions: 129sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 626 1c9547-1c9560 629 1c958e-1c95aa 626->629 630 1c9562-1c956e 626->630 631 1c95ac-1c95b8 629->631 632 1c95d8-1c95f7 629->632 633 1c9584-1c958b call 1decf8 630->633 634 1c9570-1c957e 630->634 637 1c95ce-1c95d5 call 1decf8 631->637 638 1c95ba-1c95c8 631->638 639 1c95f9-1c9605 632->639 640 1c9625-1ca3e6 call 1d9750 632->640 633->629 634->633 635 1ca3e7 634->635 642 1ca423-1ca466 Sleep CreateMutexA 635->642 643 1ca3e7 call 1f82fa 635->643 637->632 638->635 638->637 646 1c961b-1c9622 call 1decf8 639->646 647 1c9607-1c9615 639->647 643->642 646->640 647->635 647->646
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 001CA435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,002251D8), ref: 001CA453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1464230837-0
                                                                                                                                                                                                                                                          • Opcode ID: c95259ac48fc98a2d9be0f120248d9ac161743769f1fd47fbb8f3392a3eb3386
                                                                                                                                                                                                                                                          • Instruction ID: 1671abe960795f1cf29e763a462b5741ccf630a874bbbe9761b74a8eb9a75963
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c95259ac48fc98a2d9be0f120248d9ac161743769f1fd47fbb8f3392a3eb3386
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 533165327101489BEB19DB68DD9DBACB772EFA1318F20821DE4289B3D6CB75D9808751
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001C9A14 Relevance: 3.1, APIs: 2, Instructions: 128sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 656 1c9a14-1c9a34 660 1c9a36-1c9a42 656->660 661 1c9a62-1c9a7e 656->661 662 1c9a58-1c9a5f call 1decf8 660->662 663 1c9a44-1c9a52 660->663 664 1c9aac-1c9acb 661->664 665 1c9a80-1c9a8c 661->665 662->661 663->662 666 1ca3fb 663->666 670 1c9acd-1c9ad9 664->670 671 1c9af9-1ca3e6 call 1d9750 664->671 668 1c9a8e-1c9a9c 665->668 669 1c9aa2-1c9aa9 call 1decf8 665->669 673 1ca423-1ca466 Sleep CreateMutexA 666->673 674 1ca3fb call 1f82fa 666->674 668->666 668->669 669->664 677 1c9aef-1c9af6 call 1decf8 670->677 678 1c9adb-1c9ae9 670->678 674->673 677->671 678->666 678->677
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 001CA435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,002251D8), ref: 001CA453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1464230837-0
                                                                                                                                                                                                                                                          • Opcode ID: 45050b38a522ecd66eea3b1135c296a98f3429d5e96fbc9c867d6630130c41a9
                                                                                                                                                                                                                                                          • Instruction ID: db714be62c6529a3ef2657b7acfc770f21179b5e69bd18c96c204212db274c0c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45050b38a522ecd66eea3b1135c296a98f3429d5e96fbc9c867d6630130c41a9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A53196727201449BEB18DB68DC9CBACB762EFE1318F20821CE4549B3C1CB35D9808751
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001C9B49 Relevance: 3.1, APIs: 2, Instructions: 127sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 687 1c9b49-1c9b69 691 1c9b6b-1c9b77 687->691 692 1c9b97-1c9bb3 687->692 695 1c9b8d-1c9b94 call 1decf8 691->695 696 1c9b79-1c9b87 691->696 693 1c9bb5-1c9bc1 692->693 694 1c9be1-1c9c00 692->694 699 1c9bd7-1c9bde call 1decf8 693->699 700 1c9bc3-1c9bd1 693->700 701 1c9c2e-1ca3e6 call 1d9750 694->701 702 1c9c02-1c9c0e 694->702 695->692 696->695 697 1ca400 696->697 704 1ca423-1ca466 Sleep CreateMutexA 697->704 705 1ca400 call 1f82fa 697->705 699->694 700->697 700->699 708 1c9c24-1c9c2b call 1decf8 702->708 709 1c9c10-1c9c1e 702->709 705->704 708->701 709->697 709->708
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 001CA435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,002251D8), ref: 001CA453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1464230837-0
                                                                                                                                                                                                                                                          • Opcode ID: 43b113b768ee73bb3a172cd8cdc85abb739b170a1b0ee122c0fff1ed0ba156ab
                                                                                                                                                                                                                                                          • Instruction ID: e48a707e254c93b6585b8d649895b2584aca3c2fd581f2a4a1bff33989babceb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 43b113b768ee73bb3a172cd8cdc85abb739b170a1b0ee122c0fff1ed0ba156ab
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B3146717102489BEB18DB68ED8DFADB7A2EFD5318F20821CE4149B3D5C77599808751
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001C9C7E Relevance: 3.1, APIs: 2, Instructions: 126sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 718 1c9c7e-1c9c9e 722 1c9ccc-1c9ce8 718->722 723 1c9ca0-1c9cac 718->723 726 1c9cea-1c9cf6 722->726 727 1c9d16-1c9d35 722->727 724 1c9cae-1c9cbc 723->724 725 1c9cc2-1c9cc9 call 1decf8 723->725 724->725 732 1ca405 724->732 725->722 728 1c9d0c-1c9d13 call 1decf8 726->728 729 1c9cf8-1c9d06 726->729 730 1c9d37-1c9d43 727->730 731 1c9d63-1ca3e6 call 1d9750 727->731 728->727 729->728 729->732 735 1c9d59-1c9d60 call 1decf8 730->735 736 1c9d45-1c9d53 730->736 738 1ca423-1ca466 Sleep CreateMutexA 732->738 739 1ca405 call 1f82fa 732->739 735->731 736->732 736->735 739->738
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 001CA435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,002251D8), ref: 001CA453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1464230837-0
                                                                                                                                                                                                                                                          • Opcode ID: 5b08cd81204d0caedab6ddbea42c58445e1dc1edc07c08a4bfe13f51971cc2d0
                                                                                                                                                                                                                                                          • Instruction ID: 7e86366536a16b1f360f233f3ca638271776ad909734b2076a3eac20dabce904
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b08cd81204d0caedab6ddbea42c58445e1dc1edc07c08a4bfe13f51971cc2d0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 513176727101449BEB18DBB8DC8CBBCBBA2EF91318F20821CE015AB3D1D775D9808751
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001C9EE8 Relevance: 3.1, APIs: 2, Instructions: 124sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 749 1c9ee8-1c9f08 753 1c9f0a-1c9f16 749->753 754 1c9f36-1c9f52 749->754 755 1c9f2c-1c9f33 call 1decf8 753->755 756 1c9f18-1c9f26 753->756 757 1c9f54-1c9f60 754->757 758 1c9f80-1c9f9f 754->758 755->754 756->755 763 1ca40f 756->763 759 1c9f76-1c9f7d call 1decf8 757->759 760 1c9f62-1c9f70 757->760 761 1c9fcd-1ca3e6 call 1d9750 758->761 762 1c9fa1-1c9fad 758->762 759->758 760->759 760->763 766 1c9faf-1c9fbd 762->766 767 1c9fc3-1c9fca call 1decf8 762->767 769 1ca414-1ca466 call 1f82fa * 3 Sleep CreateMutexA 763->769 770 1ca40f call 1f82fa 763->770 766->763 766->767 767->761 770->769
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 001CA435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,002251D8), ref: 001CA453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1464230837-0
                                                                                                                                                                                                                                                          • Opcode ID: 2dd64b3023d2ed2a5cdf4a9aab6e85644ccaf96fb20350f35d11eb2d7abd9125
                                                                                                                                                                                                                                                          • Instruction ID: ebd87c5811bf78b97f483a992fc0fc5224f2eb9a3e49db68ff1b3fdb68c34246
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2dd64b3023d2ed2a5cdf4a9aab6e85644ccaf96fb20350f35d11eb2d7abd9125
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D3155717102049BEB18EB78CD8DBADBB72AFA5318F20821CF015DB7D5CB7599808761
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001CA01D Relevance: 3.1, APIs: 2, Instructions: 123sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 786 1ca01d-1ca03d 790 1ca03f-1ca04b 786->790 791 1ca06b-1ca087 786->791 792 1ca04d-1ca05b 790->792 793 1ca061-1ca068 call 1decf8 790->793 794 1ca089-1ca095 791->794 795 1ca0b5-1ca0d4 791->795 792->793 800 1ca414-1ca466 call 1f82fa * 3 Sleep CreateMutexA 792->800 793->791 796 1ca0ab-1ca0b2 call 1decf8 794->796 797 1ca097-1ca0a5 794->797 798 1ca0d6-1ca0e2 795->798 799 1ca102-1ca3e6 call 1d9750 795->799 796->795 797->796 797->800 804 1ca0f8-1ca0ff call 1decf8 798->804 805 1ca0e4-1ca0f2 798->805 804->799 805->800 805->804
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 001CA435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,002251D8), ref: 001CA453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1464230837-0
                                                                                                                                                                                                                                                          • Opcode ID: a573528e935ac6eb7bc3226932f87b17eae35c0a083d8748bbbc480296296a4b
                                                                                                                                                                                                                                                          • Instruction ID: d460d2cd8fdc019ffbbe32afa85874729e04ac5901f37cf24fe085e5521a490d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a573528e935ac6eb7bc3226932f87b17eae35c0a083d8748bbbc480296296a4b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 013188717001089BEB19DBB8CC89BADB772EF9531CF60821CE4159B3C2CB75A9908762
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001CA152 Relevance: 3.1, APIs: 2, Instructions: 122sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 821 1ca152-1ca172 825 1ca174-1ca180 821->825 826 1ca1a0-1ca1bc 821->826 827 1ca196-1ca19d call 1decf8 825->827 828 1ca182-1ca190 825->828 829 1ca1be-1ca1ca 826->829 830 1ca1ea-1ca209 826->830 827->826 828->827 831 1ca419-1ca466 call 1f82fa * 2 Sleep CreateMutexA 828->831 833 1ca1cc-1ca1da 829->833 834 1ca1e0-1ca1e7 call 1decf8 829->834 835 1ca20b-1ca217 830->835 836 1ca237-1ca3e6 call 1d9750 830->836 833->831 833->834 834->830 841 1ca22d-1ca234 call 1decf8 835->841 842 1ca219-1ca227 835->842 841->836 842->831 842->841
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 001CA435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,002251D8), ref: 001CA453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1464230837-0
                                                                                                                                                                                                                                                          • Opcode ID: fca81050eb8f93b6544280884bf249994fd20edf884575ea5dfa8c9f1db1de88
                                                                                                                                                                                                                                                          • Instruction ID: fd92bdcd3aac6daa4068437bbce4994a29933108927961be78c4ff2292c93aff
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fca81050eb8f93b6544280884bf249994fd20edf884575ea5dfa8c9f1db1de88
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 183166717101089BEB1DDBB8DC89BADB7B2EF91318F64821CE0249B3D2CB759980C752
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001C9E1F Relevance: 3.1, APIs: 2, Instructions: 91sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 854 1c9e1f-1c9e2b 855 1c9e2d-1c9e3b 854->855 856 1c9e41-1c9e6a call 1decf8 854->856 855->856 857 1ca40a 855->857 862 1c9e6c-1c9e78 856->862 863 1c9e98-1ca3e6 call 1d9750 856->863 860 1ca423-1ca466 Sleep CreateMutexA 857->860 861 1ca40a call 1f82fa 857->861 861->860 864 1c9e8e-1c9e95 call 1decf8 862->864 865 1c9e7a-1c9e88 862->865 864->863 865->857 865->864
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 001CA435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,002251D8), ref: 001CA453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1464230837-0
                                                                                                                                                                                                                                                          • Opcode ID: 9c59f32cc7f0e74f66655b5cae852f0a59b6262396b35804ed9853a283b1e246
                                                                                                                                                                                                                                                          • Instruction ID: 3970df61f0efca321b95212e2fc88b736be2c42f7a2cc78b1d17708f4208f311
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c59f32cc7f0e74f66655b5cae852f0a59b6262396b35804ed9853a283b1e246
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5721A6323502049BFB18DB68DC89BACBB62EFE1315F20822DE4199B3D0CB7596808791
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001CA326 Relevance: 3.1, APIs: 2, Instructions: 91sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 874 1ca326-1ca33e 875 1ca36c-1ca36e 874->875 876 1ca340-1ca34c 874->876 879 1ca379-1ca381 call 1c78b0 875->879 880 1ca370-1ca377 875->880 877 1ca34e-1ca35c 876->877 878 1ca362-1ca369 call 1decf8 876->878 877->878 881 1ca41e-1ca458 call 1f82fa Sleep CreateMutexA 877->881 878->875 890 1ca3b4-1ca3b6 879->890 891 1ca383-1ca38b call 1c78b0 879->891 883 1ca3bb-1ca3e6 call 1d9750 880->883 894 1ca45e-1ca466 881->894 890->883 891->890 897 1ca38d-1ca395 call 1c78b0 891->897 897->890 900 1ca397-1ca39f call 1c78b0 897->900 900->890 903 1ca3a1-1ca3a9 call 1c78b0 900->903 903->890 906 1ca3ab-1ca3b2 903->906 906->883
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 001CA435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,002251D8), ref: 001CA453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1464230837-0
                                                                                                                                                                                                                                                          • Opcode ID: c3c298eca09a200cb0fd43a0b259f52dec26ae31e6535035504793b0c7bffce2
                                                                                                                                                                                                                                                          • Instruction ID: 1d4f9eecd1b0f4a2b4daf53f289d13959d09373d6b954df1555b0bdc07f11eec
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c3c298eca09a200cb0fd43a0b259f52dec26ae31e6535035504793b0c7bffce2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD215E303442489AF7296BA8AC5BF7C7652FFB1308F64441DE544C5AC1CBB5D880C66B
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001C78B0 Relevance: 2.1, APIs: 1, Instructions: 551COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 907 1c78b0-1c7932 call 1f5780 911 1c7938-1c7960 call 1d9090 call 1c5d40 907->911 912 1c7e1a-1c7e37 call 1de681 907->912 919 1c7964-1c7986 call 1d9090 call 1c5d40 911->919 920 1c7962 911->920 925 1c7988 919->925 926 1c798a-1c79a3 919->926 920->919 925->926 929 1c79d4-1c79ff 926->929 930 1c79a5-1c79b4 926->930 933 1c7a30-1c7a51 929->933 934 1c7a01-1c7a10 929->934 931 1c79ca-1c79d1 call 1decf8 930->931 932 1c79b6-1c79c4 930->932 931->929 932->931 937 1c7e38 call 1f82fa 932->937 935 1c7a57-1c7a5c 933->935 936 1c7a53-1c7a55 GetNativeSystemInfo 933->936 939 1c7a26-1c7a2d call 1decf8 934->939 940 1c7a12-1c7a20 934->940 941 1c7a5d-1c7a66 935->941 936->941 948 1c7e3d-1c7ed1 call 1f82fa call 1f5780 937->948 939->933 940->937 940->939 946 1c7a68-1c7a6f 941->946 947 1c7a84-1c7a87 941->947 950 1c7e15 946->950 951 1c7a75-1c7a7f 946->951 952 1c7a8d-1c7a96 947->952 953 1c7dbb-1c7dbe 947->953 982 1c7edd-1c7f05 call 1d9090 call 1c5d40 948->982 983 1c7ed3-1c7ed8 948->983 950->912 955 1c7e10 951->955 956 1c7a98-1c7aa4 952->956 957 1c7aa9-1c7aac 952->957 953->950 958 1c7dc0-1c7dc9 953->958 955->950 956->955 960 1c7d98-1c7d9a 957->960 961 1c7ab2-1c7ab9 957->961 962 1c7dcb-1c7dcf 958->962 963 1c7df0-1c7df3 958->963 967 1c7d9c-1c7da6 960->967 968 1c7da8-1c7dab 960->968 969 1c7abf-1c7b16 call 1d9090 call 1c5d40 call 1d9090 call 1c5d40 call 1c5e90 961->969 970 1c7b94-1c7d81 call 1d9090 call 1c5d40 call 1d9090 call 1c5d40 call 1c5e90 call 1d9090 call 1c5d40 call 1c5860 call 1d9090 call 1c5d40 call 1d9090 call 1c5d40 call 1c5e90 call 1d9090 call 1c5d40 call 1c5860 call 1d9090 call 1c5d40 call 1d9090 call 1c5d40 call 1c5e90 call 1d9090 call 1c5d40 call 1c5860 961->970 971 1c7de4-1c7dee 962->971 972 1c7dd1-1c7dd6 962->972 965 1c7df5-1c7dff 963->965 966 1c7e01-1c7e0d 963->966 965->950 966->955 967->955 968->950 975 1c7dad-1c7db9 968->975 1007 1c7b1b-1c7b22 969->1007 1027 1c7d87-1c7d90 970->1027 971->950 972->971 977 1c7dd8-1c7de2 972->977 975->955 977->950 1001 1c7f09-1c7f2b call 1d9090 call 1c5d40 982->1001 1002 1c7f07 982->1002 986 1c801f-1c803b call 1de681 983->986 1019 1c7f2d 1001->1019 1020 1c7f2f-1c7f48 1001->1020 1002->1001 1010 1c7b24 1007->1010 1011 1c7b26-1c7b46 call 1fa1e1 1007->1011 1010->1011 1022 1c7b7d-1c7b7f 1011->1022 1023 1c7b48-1c7b57 1011->1023 1019->1020 1036 1c7f79-1c7fa4 1020->1036 1037 1c7f4a-1c7f59 1020->1037 1026 1c7b85-1c7b8f 1022->1026 1022->1027 1028 1c7b6d-1c7b7a call 1decf8 1023->1028 1029 1c7b59-1c7b67 1023->1029 1026->1027 1027->953 1031 1c7d92 1027->1031 1028->1022 1029->948 1029->1028 1031->960 1042 1c7fa6-1c7fb5 1036->1042 1043 1c7fd1-1c7ff2 1036->1043 1039 1c7f6f-1c7f76 call 1decf8 1037->1039 1040 1c7f5b-1c7f69 1037->1040 1039->1036 1040->1039 1044 1c803c-1c8041 call 1f82fa 1040->1044 1047 1c7fc7-1c7fce call 1decf8 1042->1047 1048 1c7fb7-1c7fc5 1042->1048 1049 1c7ff8-1c7ffd 1043->1049 1050 1c7ff4-1c7ff6 1043->1050 1047->1043 1048->1044 1048->1047 1060 1c7ffe-1c8005 1049->1060 1050->1060 1060->986 1062 1c8007-1c800f 1060->1062 1064 1c8018-1c801b 1062->1064 1065 1c8011-1c8016 1062->1065 1064->986 1067 1c801d 1064->1067 1065->986 1067->986
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 001C7A53
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InfoNativeSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1721193555-0
                                                                                                                                                                                                                                                          • Opcode ID: e7a8e44a1f01ec8ca12bf90e2bc7795ffe39b4317649111b60134556c0b296d4
                                                                                                                                                                                                                                                          • Instruction ID: ebb6db1ca9287b4c540d8b37648e6d3942844e51f4ea85918b495b58ed621a31
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7a8e44a1f01ec8ca12bf90e2bc7795ffe39b4317649111b60134556c0b296d4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09122871E04214ABDB24FBB8DC46BAD7B71AB61314F50429CE4156B3C2DB759E908FC2
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001C8282 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(?), ref: 001C8289
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                                                                          • Opcode ID: 3b5104510daa8465f1c1a92bb205461227b25c137ec8f7f6b961285dd77c3d7d
                                                                                                                                                                                                                                                          • Instruction ID: c12b281dc3cb02a3fa399091c53d20d4c358cc0498d6a0269be2076e53e5b545
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3b5104510daa8465f1c1a92bb205461227b25c137ec8f7f6b961285dd77c3d7d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90C08C30031E2029FD1C097805DCAB93300AAA73EC7E81B8CE0B04A0E1CF35E807D210
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001C8280 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(?), ref: 001C8289
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                                                                          • Opcode ID: 2099994389743e56eaf09ab2b70f77c05d1b632bb1d139946bef51faedb6f964
                                                                                                                                                                                                                                                          • Instruction ID: 40340c469c504501f76dba6a93ff471171e2f1c861d8febf4c066ec562db7b41
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2099994389743e56eaf09ab2b70f77c05d1b632bb1d139946bef51faedb6f964
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BAC08C30031A206AFE1C4A6845DCA793300EBA33AC3F80B9CE0714A0E1CF32D803C6A0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001CA9D0 Relevance: 1.5, APIs: 1, Instructions: 244COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CoInitialize.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 001CABF8
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Initialize
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2538663250-0
                                                                                                                                                                                                                                                          • Opcode ID: 5cc5dc54a10be977e5bbf229ecd06eb6393e8fc10644ddaf721556bd73ab086a
                                                                                                                                                                                                                                                          • Instruction ID: ef5ce9cf9babfd1ef47329f36857ea7683b50ea733a081b97751d9cdfa694493
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5cc5dc54a10be977e5bbf229ecd06eb6393e8fc10644ddaf721556bd73ab086a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97B11770A1026CDFEB29CF14C8A4BEEB7B5EF15308F9041D9E409A7281D775AA84CF91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 04A300D4 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2272032124.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_4a30000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 80f4fe551d10d2dd279de46cf16217be45c6b4fe1b1643503b8e5986521369bf
                                                                                                                                                                                                                                                          • Instruction ID: e088800d9970a63c5ffb2bce8dfc7a63e98c41897031eac84d2f59fcb7dca0d6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 80f4fe551d10d2dd279de46cf16217be45c6b4fe1b1643503b8e5986521369bf
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA2134BB38D120BC219289962B016F76A3EE5C77723308027F447DA616F2E42E893171
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 04A300EA Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2272032124.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_4a30000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: da6269039a6e96edc5d82f23b35891d55fd5d80e8c645506790151fa6f23cf66
                                                                                                                                                                                                                                                          • Instruction ID: 545773c6e4fc2e3a3789377036bd13da447b5e210ca2bcf2e1c802b57a90b039
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da6269039a6e96edc5d82f23b35891d55fd5d80e8c645506790151fa6f23cf66
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 902136FB28D110BD6293989627055F67E7EE4D76723308032F447DB606F2D51E993231
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 04A30100 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2272032124.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_4a30000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b82488be16ee7bd319deec617bf84ac5aa1e5e47cec5af93e0a6ba8eca337301
                                                                                                                                                                                                                                                          • Instruction ID: 0e60a2a4beb4c8a06b35ee6ebc8b2242cd90ef539555a225d6c4e19ff19ef54b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b82488be16ee7bd319deec617bf84ac5aa1e5e47cec5af93e0a6ba8eca337301
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 462148BB28D120BD629289862B141F67A7EE8C77313304036F447CB606F2D05E587271
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 04A30143 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2272032124.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_4a30000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 41babf181e0747d0a312cccffe23363fd1ffbcc93b71aef70db2a41602cef3c6
                                                                                                                                                                                                                                                          • Instruction ID: 3492b4ab67ef97ac504d28586355cf5164bf9ad0b23d0017e5f79515c828255b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41babf181e0747d0a312cccffe23363fd1ffbcc93b71aef70db2a41602cef3c6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9111E3BB28D210BD619294C62B046F6797EE4C76713308136F547DBA06F2E41E993272
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 04A301C1 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2272032124.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_4a30000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b944c8ec2226bde179cd1185b30210a37231534478ef080b5e297ae170cf862c
                                                                                                                                                                                                                                                          • Instruction ID: 767c5fac6216912ccbbcb946ca68cb0856f263a2046c266eb3527c0dbaae53a7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b944c8ec2226bde179cd1185b30210a37231534478ef080b5e297ae170cf862c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A1138BB64C210BDA292C49927086F67E7EA6C7731B304132F5439A502F2E44E593271
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 04A30153 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2272032124.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_4a30000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 0e547490ac257c148622bd3cb7abbe7e8d6214e205898e867d775836772e7102
                                                                                                                                                                                                                                                          • Instruction ID: 17cccca92116a2226f797161741d18de67e1d8a3b3929203f7eba7bda820d1b6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e547490ac257c148622bd3cb7abbe7e8d6214e205898e867d775836772e7102
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC1102FB28D210BD618284C627046FABA7EF5C77713308136F543DA602F2E45E593271
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 04A3018C Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2272032124.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_4a30000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9843b06d2793d01bcad8d6c88c993fb6edaf1240f51a15bb62eaf952e3d707a7
                                                                                                                                                                                                                                                          • Instruction ID: 44e778206d4992904f5b38db1176cfff02d33f6dd35b0376f18f1f1d9791406d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9843b06d2793d01bcad8d6c88c993fb6edaf1240f51a15bb62eaf952e3d707a7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A0124BB68D210BE529295C663451B67E7EE9CB7323304123F5039B616F1E40D987231
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 04A3019F Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2272032124.0000000004A30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04A30000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_4a30000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 6a00c95e912fae513c70db3d82d27384680ac9442f96cdc8352d9d5f6c9f5fa9
                                                                                                                                                                                                                                                          • Instruction ID: 0617ef1dc41dd8cc30aee9feef51e3c98c726e2ae2953205616043fa178b1999
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6a00c95e912fae513c70db3d82d27384680ac9442f96cdc8352d9d5f6c9f5fa9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2F0F4BB68C120BD61D2D5C667055B6797EE9D77313304132F507DB202F1E40E997271
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                                          Function 001CD8D0 Relevance: 4.6, APIs: 3, Instructions: 102networkCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • recv.WS2_32(?,?,00000004,00000000), ref: 001CD91B
                                                                                                                                                                                                                                                          • recv.WS2_32(?,?,00000008,00000000), ref: 001CD950
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: recv
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1507349165-0
                                                                                                                                                                                                                                                          • Opcode ID: f62f78ae1d52e5d4964363335a7a028842e92c947f8f9ebdd6bd4ad83b150ce9
                                                                                                                                                                                                                                                          • Instruction ID: dd6ff30cc1f879c845dd339b9c490e41ba9ea372249a633f78a9d8d98e0d489a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f62f78ae1d52e5d4964363335a7a028842e92c947f8f9ebdd6bd4ad83b150ce9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E31D871900208ABD730DBA8EC85FAF77B8FB19728F440629E515E72D1DB74E806CB60
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001DE27A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetSystemTimePreciseAsFileTime.KERNEL32(?,001DE5E2,?,00000003,00000003,?,001DE617,?,?,?,00000003,00000003,?,001DDB8D,001C2EB9,00000001), ref: 001DE293
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Time$FilePreciseSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1802150274-0
                                                                                                                                                                                                                                                          • Opcode ID: e6a2a3665aa57794ef76faec0ef892bde901be25ad5782c87aec62df642b198f
                                                                                                                                                                                                                                                          • Instruction ID: 0439f6d1eecb97745202a002a94215502b2cc12c2cc9119ba84da97584555eb0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6a2a3665aa57794ef76faec0ef892bde901be25ad5782c87aec62df642b198f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E8D02232985038A38A273BC4BC048EDBF8CAA03B913022023EC041B310CF616C215BE5
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001C4E60 Relevance: .2, Instructions: 175COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: db47bc127134fd32da8d2b06e5c526aab981f06803343deceaae93b361d25f09
                                                                                                                                                                                                                                                          • Instruction ID: 7cd3d5ca9390b7694a8d85afc6a5d9e7ea48502e3ade028780f57b5ceb6dcda4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db47bc127134fd32da8d2b06e5c526aab981f06803343deceaae93b361d25f09
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1751F332E045158FCB14CF2CCC81B99BBA2EF96314F19816CE854EB396CB75E914C7A0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0020A220 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                                                                                          • Instruction ID: 8964aab18a512527266ff437b5775f37b7631ee265952c0556ff0059d51cc5ad
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38113B772213434FDB448E7DC8B46BAA395EBC53207AC4375D8424B7D6C12399709502
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001FB922 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                                                                                                                                                                                                                                          • Instruction ID: e1fee892b753616ac128d401639ef3d7ca292a74818bcb642db61c4be06a3121
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e6d3f81bf9612d8360929edb31d8ce1375adbaa32f41a7c69d112e79a3c508fb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81E08C7291522CEBCB14DBC8C94499AF3ECFB48B54B114096F601D3200C3B4DE00DBD0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001F8829 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _wcsrchr
                                                                                                                                                                                                                                                          • String ID: .bat$.cmd$.com$.exe
                                                                                                                                                                                                                                                          • API String ID: 1752292252-4019086052
                                                                                                                                                                                                                                                          • Opcode ID: da2d8a76e3e46ffe34267387bdcf84212bc5c7a79464e549599d9cfe9f2035fe
                                                                                                                                                                                                                                                          • Instruction ID: fbadfca85c60f611da11bdc4fd32416a02bb0b45e0a7905e194cd9b9ea2a076c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da2d8a76e3e46ffe34267387bdcf84212bc5c7a79464e549599d9cfe9f2035fe
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0A01D277A1862D2567142018BC0267B17D99BE3BF072E003EFE48FB1C2EFA4DC5241A4
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001C2DC0 Relevance: 7.8, APIs: 5, Instructions: 272COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Mtx_unlock$Cnd_broadcast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 32384418-0
                                                                                                                                                                                                                                                          • Opcode ID: b41a70baf9c5158ee4a2735bfa3ca66eb638e3f444d04325efc75af4e3efa139
                                                                                                                                                                                                                                                          • Instruction ID: dbd37a808e7abb8df7a562e0368f015d74df92614cce6b0a5c696d83637436e4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b41a70baf9c5158ee4a2735bfa3ca66eb638e3f444d04325efc75af4e3efa139
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ABA1D0B1A0170A9FDB21DB64D844B5AB7B8FF25310F04816EE915D7381EB34EA04CBD1
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 001DD202 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Xtime_diff_to_millis2_xtime_get
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 531285432-0
                                                                                                                                                                                                                                                          • Opcode ID: 6ea35cb10d961ba5f9383b2aa29dc5750b261e5b7622d7f2786f2b0ceaadb502
                                                                                                                                                                                                                                                          • Instruction ID: f60268081809e97ab21a7690f30f78f8b1cbc8ce3295f8eeda819faa1c31e383
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ea35cb10d961ba5f9383b2aa29dc5750b261e5b7622d7f2786f2b0ceaadb502
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F214F75A002199FDF00EFA4EC81EBEB7B8EF59314F10005AFA01AB351DB749D018BA1
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0020097F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000001.00000002.2266060104.00000000001C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266000346.00000000001C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266060104.0000000000224000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266155736.0000000000229000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266181253.000000000022B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2266233083.0000000000237000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267289861.0000000000393000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267309954.0000000000396000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003A9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267335516.00000000003B6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267383936.00000000003D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267400513.00000000003D1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267423014.00000000003E5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267445313.00000000003F9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267472657.0000000000412000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267493043.0000000000417000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267513144.0000000000418000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267540756.000000000041C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267559701.0000000000423000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267581683.0000000000427000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267607683.0000000000435000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267631333.0000000000439000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267652058.000000000043A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267669882.000000000043C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267702675.0000000000443000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267724273.0000000000449000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267747090.000000000044A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267766144.000000000044D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267784909.000000000044E000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267804089.0000000000456000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267832219.000000000046C000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267853013.000000000046D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267873995.0000000000477000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267894475.0000000000478000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267919777.0000000000489000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.000000000048A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267942885.0000000000497000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2267986318.00000000004C6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268007038.00000000004C7000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268025129.00000000004C8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268043208.00000000004CE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268061439.00000000004D0000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268080057.00000000004DD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000001.00000002.2268102404.00000000004DF000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_1_2_1c0000_tA6etkt3gb.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ___free_lconv_mon
                                                                                                                                                                                                                                                          • String ID: 8B"$`G"
                                                                                                                                                                                                                                                          • API String ID: 3903695350-4071524391
                                                                                                                                                                                                                                                          • Opcode ID: 7a045c2c635e9407e13aac024e95ffa94c12bfc19e00832af655d72b3510f09b
                                                                                                                                                                                                                                                          • Instruction ID: be778a9ac947b0495da95dd86bf8baee3d41839df83c18001e2c7e21cdd18009
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a045c2c635e9407e13aac024e95ffa94c12bfc19e00832af655d72b3510f09b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A316031B1030A9FFB21AE79D985BAA73E8AF50350F104429E599D71E2DF71AC60DB50
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:5.6%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                          Signature Coverage:4.1%
                                                                                                                                                                                                                                                          Total number of Nodes:1474
                                                                                                                                                                                                                                                          Total number of Limit Nodes:76
                                                                                                                                                                                                                                                          execution_graph 39105 408800 39106 40884f 39105->39106 39115 419090 39106->39115 39108 40885f 39126 405d40 39108->39126 39110 40886a 39133 419750 39110->39133 39112 4088bc 39146 4198b0 39112->39146 39114 4088ce Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 39116 4190b6 39115->39116 39117 4190bd 39116->39117 39118 419111 39116->39118 39119 4190f2 39116->39119 39117->39108 39124 41ea77 Concurrency::details::SchedulerBase::Initialize RtlAllocateHeap 39118->39124 39125 4190ff 6 library calls 39118->39125 39120 419149 39119->39120 39121 4190f9 39119->39121 39162 402380 RtlAllocateHeap ___std_exception_copy Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize 39120->39162 39154 41ea77 39121->39154 39124->39125 39125->39108 39168 405a70 39126->39168 39130 405d9a 39187 404ad0 39130->39187 39132 405dbd Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 39132->39110 39135 419794 39133->39135 39137 41976e __InternalCxxFrameHandler 39133->39137 39139 4197e8 39135->39139 39140 41980d 39135->39140 39144 4197f9 Concurrency::details::_CancellationTokenState::_RegisterCallback std::_Rethrow_future_exception 39135->39144 39136 419883 39200 402380 RtlAllocateHeap ___std_exception_copy Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize 39136->39200 39137->39112 39139->39136 39142 41ea77 Concurrency::details::SchedulerBase::Initialize RtlAllocateHeap 39139->39142 39143 41ea77 Concurrency::details::SchedulerBase::Initialize RtlAllocateHeap 39140->39143 39140->39144 39141 419888 39142->39144 39143->39144 39145 419860 Concurrency::details::ResourceManager::Release 39144->39145 39199 41a900 RtlAllocateHeap Concurrency::details::_CancellationTokenState::_RegisterCallback 39144->39199 39145->39112 39147 4198d8 39146->39147 39149 419922 39146->39149 39148 4198e1 39147->39148 39147->39149 39201 41a910 39148->39201 39150 419931 __InternalCxxFrameHandler 39149->39150 39206 41a5d0 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize std::_Rethrow_future_exception 39149->39206 39150->39114 39153 4198ea 39153->39114 39157 41ea7c Concurrency::details::SchedulerBase::Initialize 39154->39157 39156 41ea96 39156->39125 39157->39156 39158 402380 Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize 39157->39158 39163 43a204 39157->39163 39159 41eaa2 Concurrency::details::_Condition_variable::wait_for Concurrency::details::SchedulerBase::Initialize 39158->39159 39167 434f3c RtlAllocateHeap Concurrency::details::_TaskCollection::_FullAliasWait __freea ___std_exception_copy 39158->39167 39161 4023c3 39161->39125 39162->39125 39166 43c66b __dosmaperr Concurrency::details::SchedulerBase::Initialize 39163->39166 39164 43c694 RtlAllocateHeap 39165 43c6a7 __dosmaperr 39164->39165 39164->39166 39165->39157 39166->39164 39166->39165 39167->39161 39194 419610 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize 39168->39194 39170 405a9b 39171 405b10 39170->39171 39195 419610 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize 39171->39195 39173 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39185 405b75 39173->39185 39174 405d39 39197 419890 RtlAllocateHeap 39174->39197 39175 405d0d __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 39175->39130 39177 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39177->39185 39185->39173 39185->39174 39185->39175 39185->39177 39196 405860 RtlAllocateHeap Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 39185->39196 39188 404b01 39187->39188 39191 404b2b 39187->39191 39189 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39188->39189 39190 404b18 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 39189->39190 39190->39132 39198 419610 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize 39191->39198 39193 404ba1 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 39193->39132 39194->39170 39195->39185 39196->39185 39198->39193 39200->39141 39202 41a924 39201->39202 39205 41a935 __InternalCxxFrameHandler std::_Rethrow_future_exception 39202->39205 39207 41ab70 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize std::_Rethrow_future_exception 39202->39207 39204 41a9bb 39204->39153 39205->39153 39206->39150 39207->39204 39208 418320 CreateThread CreateThread 39209 418350 Sleep 39208->39209 39210 418200 39208->39210 39216 418290 39208->39216 39209->39209 39213 418230 39210->39213 39211 419090 RtlAllocateHeap Concurrency::details::_CancellationTokenState::_RegisterCallback 39211->39213 39212 405d40 RtlAllocateHeap 39212->39213 39213->39211 39213->39212 39227 4148d0 39213->39227 39215 41827c Sleep 39215->39213 39217 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39216->39217 39218 4182cd 39217->39218 39219 405d40 RtlAllocateHeap 39218->39219 39220 4182d4 39219->39220 39221 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39220->39221 39222 4182ec 39221->39222 39223 405d40 RtlAllocateHeap 39222->39223 39224 4182f3 39223->39224 40051 417e90 39224->40051 39228 41490b 39227->39228 39329 414f90 Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback 39227->39329 39230 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39228->39230 39228->39329 39229 415079 Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 39229->39215 39231 41492c 39230->39231 39232 405d40 RtlAllocateHeap 39231->39232 39233 414933 39232->39233 39234 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39233->39234 39235 414945 39234->39235 39237 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39235->39237 39239 414957 39237->39239 39238 415135 39799 4064d0 39238->39799 39241 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39239->39241 39242 414978 39241->39242 39246 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39242->39246 39244 415145 Concurrency::details::ResourceManager::Release 39245 416d66 Concurrency::details::_CancellationTokenState::_RegisterCallback 39244->39245 39809 4078b0 39244->39809 39248 414990 39246->39248 39247 41520d 39882 4044b0 39247->39882 39250 405d40 RtlAllocateHeap 39248->39250 39252 414997 39250->39252 39251 41521a 39886 407e50 39251->39886 39487 408050 39252->39487 39254 415226 39256 4044b0 RtlAllocateHeap 39254->39256 39259 415233 39256->39259 39257 4149a3 39258 414c29 39257->39258 39260 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39257->39260 39261 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39258->39261 39322 4150bc 39258->39322 39266 4044b0 RtlAllocateHeap 39259->39266 39262 4149bf 39260->39262 39263 414c4f 39261->39263 39264 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39262->39264 39265 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39263->39265 39267 4149d7 39264->39267 39268 414c64 39265->39268 39269 415250 39266->39269 39270 405d40 RtlAllocateHeap 39267->39270 39271 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39268->39271 39272 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39269->39272 39273 4149de 39270->39273 39274 414c76 39271->39274 39275 41526e 39272->39275 39276 408050 RtlAllocateHeap 39273->39276 39280 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39274->39280 39277 405d40 RtlAllocateHeap 39275->39277 39278 4149ea 39276->39278 39279 415275 39277->39279 39278->39258 39282 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39278->39282 39281 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39279->39281 39283 414c97 39280->39283 39284 41528a 39281->39284 39285 414a07 39282->39285 39286 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39283->39286 39287 405d40 RtlAllocateHeap 39284->39287 39288 405d40 RtlAllocateHeap 39285->39288 39289 414caf 39286->39289 39290 415291 39287->39290 39295 414a0f 39288->39295 39291 405d40 RtlAllocateHeap 39289->39291 39898 405e90 39290->39898 39293 414cb6 39291->39293 39294 408050 RtlAllocateHeap 39293->39294 39296 414cc2 39294->39296 39297 414a5b 39295->39297 39298 41509e 39295->39298 39301 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39296->39301 39296->39329 39299 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39297->39299 39933 419890 RtlAllocateHeap 39298->39933 39312 414a79 Concurrency::details::ResourceManager::Release 39299->39312 39303 414cde 39301->39303 39302 4152a3 39304 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39302->39304 39305 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39303->39305 39316 41530c 39304->39316 39306 414cf6 39305->39306 39309 405d40 RtlAllocateHeap 39306->39309 39307 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39310 414b06 39307->39310 39308 4150a3 Concurrency::details::_CancellationTokenState::_RegisterCallback 39934 41d829 RtlAllocateHeap std::invalid_argument::invalid_argument Concurrency::details::SchedulerBase::Initialize 39308->39934 39311 414cfd 39309->39311 39313 405d40 RtlAllocateHeap 39310->39313 39315 408050 RtlAllocateHeap 39311->39315 39312->39307 39312->39308 39325 414b0e 39313->39325 39318 414d09 39315->39318 39906 419470 39316->39906 39317 4150b7 39935 419890 RtlAllocateHeap 39317->39935 39323 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39318->39323 39318->39329 39321 415378 39919 418df0 39321->39919 39936 41d869 RtlAllocateHeap std::invalid_argument::invalid_argument Concurrency::details::SchedulerBase::Initialize 39322->39936 39327 414d26 39323->39327 39328 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39325->39328 39330 405d40 RtlAllocateHeap 39327->39330 39333 414b69 Concurrency::details::ResourceManager::Release 39328->39333 39329->39229 39775 406160 39329->39775 39334 414d2e 39330->39334 39331 4153d7 39337 415455 Concurrency::details::ResourceManager::Release 39331->39337 39937 41a330 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize std::_Rethrow_future_exception 39331->39937 39333->39258 39333->39308 39931 4093c0 RtlAllocateHeap Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize 39333->39931 39334->39317 39335 414d7a 39334->39335 39338 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39335->39338 39339 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39337->39339 39343 414d98 Concurrency::details::ResourceManager::Release 39338->39343 39347 41551d Concurrency::details::ResourceManager::Release 39339->39347 39340 414bf5 __dosmaperr 39340->39258 39932 43a0d9 GetPEB GetPEB RtlAllocateHeap 39340->39932 39341 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39344 414e25 39341->39344 39343->39329 39343->39341 39346 405d40 RtlAllocateHeap 39344->39346 39345 414c1d 39345->39258 39345->39308 39351 414e2d 39346->39351 39348 4044b0 RtlAllocateHeap 39347->39348 39349 4155bd 39348->39349 39350 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39349->39350 39352 4155d7 39350->39352 39353 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39351->39353 39354 405d40 RtlAllocateHeap 39352->39354 39361 414e88 Concurrency::details::ResourceManager::Release 39353->39361 39355 4155e2 39354->39355 39356 4044b0 RtlAllocateHeap 39355->39356 39357 4155f7 39356->39357 39358 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39357->39358 39360 41560b 39358->39360 39359 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39362 414f17 39359->39362 39363 405d40 RtlAllocateHeap 39360->39363 39361->39329 39361->39359 39364 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39362->39364 39365 415616 39363->39365 39366 414f2c 39364->39366 39367 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39365->39367 39368 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39366->39368 39369 415634 39367->39369 39370 414f47 39368->39370 39371 405d40 RtlAllocateHeap 39369->39371 39372 405d40 RtlAllocateHeap 39370->39372 39374 41563f 39371->39374 39373 414f4e 39372->39373 39377 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39373->39377 39375 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39374->39375 39376 41565d 39375->39376 39378 405d40 RtlAllocateHeap 39376->39378 39379 414f87 39377->39379 39380 415668 39378->39380 39493 4144b0 39379->39493 39382 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39380->39382 39383 415686 39382->39383 39384 405d40 RtlAllocateHeap 39383->39384 39385 415691 39384->39385 39386 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39385->39386 39387 4156af 39386->39387 39388 405d40 RtlAllocateHeap 39387->39388 39389 4156ba 39388->39389 39390 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39389->39390 39391 4156d8 39390->39391 39392 405d40 RtlAllocateHeap 39391->39392 39393 4156e3 39392->39393 39394 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39393->39394 39395 415701 39394->39395 39396 405d40 RtlAllocateHeap 39395->39396 39397 41570c 39396->39397 39398 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39397->39398 39399 41572a 39398->39399 39400 405d40 RtlAllocateHeap 39399->39400 39401 415735 39400->39401 39402 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39401->39402 39403 415751 39402->39403 39404 405d40 RtlAllocateHeap 39403->39404 39405 41575c 39404->39405 39406 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39405->39406 39407 415773 39406->39407 39408 405d40 RtlAllocateHeap 39407->39408 39409 41577e 39408->39409 39410 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39409->39410 39411 415795 39410->39411 39412 405d40 RtlAllocateHeap 39411->39412 39413 4157a0 39412->39413 39414 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39413->39414 39415 4157bc 39414->39415 39416 405d40 RtlAllocateHeap 39415->39416 39417 4157c7 39416->39417 39938 4199b0 39417->39938 39419 4157db 39420 4198b0 RtlAllocateHeap 39419->39420 39421 4157ef 39420->39421 39422 4198b0 RtlAllocateHeap 39421->39422 39423 415803 39422->39423 39424 4198b0 RtlAllocateHeap 39423->39424 39425 415817 39424->39425 39426 4199b0 RtlAllocateHeap 39425->39426 39427 41582b 39426->39427 39428 4198b0 RtlAllocateHeap 39427->39428 39429 41583f 39428->39429 39430 4199b0 RtlAllocateHeap 39429->39430 39431 415853 39430->39431 39432 4198b0 RtlAllocateHeap 39431->39432 39433 415867 39432->39433 39434 4199b0 RtlAllocateHeap 39433->39434 39435 41587b 39434->39435 39436 4198b0 RtlAllocateHeap 39435->39436 39437 41588f 39436->39437 39438 4199b0 RtlAllocateHeap 39437->39438 39439 4158a3 39438->39439 39440 4198b0 RtlAllocateHeap 39439->39440 39441 4158b7 39440->39441 39442 4199b0 RtlAllocateHeap 39441->39442 39443 4158cb 39442->39443 39444 4198b0 RtlAllocateHeap 39443->39444 39445 4158df 39444->39445 39446 4199b0 RtlAllocateHeap 39445->39446 39447 4158f3 39446->39447 39448 4198b0 RtlAllocateHeap 39447->39448 39449 415907 39448->39449 39450 4199b0 RtlAllocateHeap 39449->39450 39451 41591b 39450->39451 39452 4198b0 RtlAllocateHeap 39451->39452 39453 41592f 39452->39453 39454 4199b0 RtlAllocateHeap 39453->39454 39455 415943 39454->39455 39456 4198b0 RtlAllocateHeap 39455->39456 39457 415957 39456->39457 39458 4198b0 RtlAllocateHeap 39457->39458 39459 41596b 39458->39459 39460 4198b0 RtlAllocateHeap 39459->39460 39461 41597f 39460->39461 39462 4199b0 RtlAllocateHeap 39461->39462 39465 415993 Concurrency::details::ResourceManager::Release 39462->39465 39463 416627 39466 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39463->39466 39464 41677b 39467 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39464->39467 39465->39463 39465->39464 39469 41663d 39466->39469 39468 416790 39467->39468 39470 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39468->39470 39471 405d40 RtlAllocateHeap 39469->39471 39472 4167a5 39470->39472 39473 416648 39471->39473 39942 404940 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback 39472->39942 39475 4199b0 RtlAllocateHeap 39473->39475 39478 41665c Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 39475->39478 39476 4167b4 39477 418df0 RtlAllocateHeap 39476->39477 39482 4167fb 39477->39482 39478->39215 39479 4168f6 39480 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39479->39480 39481 41690c 39480->39481 39483 405d40 RtlAllocateHeap 39481->39483 39482->39479 39485 41a330 RtlAllocateHeap 39482->39485 39484 416917 39483->39484 39486 4198b0 RtlAllocateHeap 39484->39486 39485->39482 39486->39478 39491 408170 Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 39487->39491 39492 4080a5 Concurrency::details::ResourceManager::Release 39487->39492 39488 408237 39943 419890 RtlAllocateHeap 39488->39943 39489 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39489->39492 39491->39257 39492->39488 39492->39489 39492->39491 39494 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39493->39494 39495 4144f2 39494->39495 39496 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39495->39496 39497 414504 39496->39497 39498 408050 RtlAllocateHeap 39497->39498 39499 41450d 39498->39499 39500 414766 39499->39500 39532 414518 Concurrency::details::ResourceManager::Release 39499->39532 39501 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39500->39501 39502 414777 39501->39502 39503 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39502->39503 39505 41478c 39503->39505 39504 4148c3 39993 419890 RtlAllocateHeap 39504->39993 39508 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39505->39508 39506 419750 RtlAllocateHeap Concurrency::details::_CancellationTokenState::_RegisterCallback 39506->39532 39510 41479e 39508->39510 39509 41489e Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 39509->39329 39512 413760 4 API calls 39510->39512 39511 41a910 RtlAllocateHeap 39511->39532 39513 414730 Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback 39512->39513 39513->39509 39515 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39513->39515 39520 414f90 Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback 39513->39520 39514 415079 Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 39514->39329 39516 41492c 39515->39516 39517 405d40 RtlAllocateHeap 39516->39517 39518 414933 39517->39518 39519 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39518->39519 39521 414945 39519->39521 39520->39514 39522 406160 5 API calls 39520->39522 39523 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39521->39523 39524 415135 39522->39524 39525 414957 39523->39525 39526 4064d0 RtlAllocateHeap 39524->39526 39527 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39525->39527 39531 415145 Concurrency::details::ResourceManager::Release 39526->39531 39529 414978 39527->39529 39528 419090 RtlAllocateHeap Concurrency::details::_CancellationTokenState::_RegisterCallback 39528->39532 39534 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39529->39534 39530 4078b0 8 API calls 39535 41520d 39530->39535 39531->39530 39533 416d66 Concurrency::details::_CancellationTokenState::_RegisterCallback 39531->39533 39532->39504 39532->39506 39532->39511 39532->39513 39532->39528 39944 413760 39532->39944 39537 414990 39534->39537 39538 4044b0 RtlAllocateHeap 39535->39538 39539 405d40 RtlAllocateHeap 39537->39539 39540 41521a 39538->39540 39541 414997 39539->39541 39542 407e50 2 API calls 39540->39542 39544 408050 RtlAllocateHeap 39541->39544 39543 415226 39542->39543 39545 4044b0 RtlAllocateHeap 39543->39545 39546 4149a3 39544->39546 39547 415233 39545->39547 39548 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39546->39548 39634 414c29 39546->39634 39554 4044b0 RtlAllocateHeap 39547->39554 39550 4149bf 39548->39550 39549 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39551 414c4f 39549->39551 39552 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39550->39552 39553 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39551->39553 39555 4149d7 39552->39555 39556 414c64 39553->39556 39557 415250 39554->39557 39558 405d40 RtlAllocateHeap 39555->39558 39559 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39556->39559 39560 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39557->39560 39561 4149de 39558->39561 39562 414c76 39559->39562 39563 41526e 39560->39563 39564 408050 RtlAllocateHeap 39561->39564 39568 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39562->39568 39565 405d40 RtlAllocateHeap 39563->39565 39566 4149ea 39564->39566 39567 415275 39565->39567 39570 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39566->39570 39566->39634 39569 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39567->39569 39571 414c97 39568->39571 39572 41528a 39569->39572 39573 414a07 39570->39573 39574 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39571->39574 39575 405d40 RtlAllocateHeap 39572->39575 39576 405d40 RtlAllocateHeap 39573->39576 39577 414caf 39574->39577 39578 415291 39575->39578 39583 414a0f 39576->39583 39579 405d40 RtlAllocateHeap 39577->39579 39580 405e90 4 API calls 39578->39580 39581 414cb6 39579->39581 39590 4152a3 39580->39590 39582 408050 RtlAllocateHeap 39581->39582 39584 414cc2 39582->39584 39585 414a5b 39583->39585 39586 41509e 39583->39586 39584->39520 39589 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39584->39589 39587 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39585->39587 39996 419890 RtlAllocateHeap 39586->39996 39594 414a79 Concurrency::details::ResourceManager::Release 39587->39594 39592 414cde 39589->39592 39593 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39590->39593 39591 4150a3 Concurrency::details::_CancellationTokenState::_RegisterCallback 39997 41d829 RtlAllocateHeap std::invalid_argument::invalid_argument Concurrency::details::SchedulerBase::Initialize 39591->39997 39595 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39592->39595 39601 41530c 39593->39601 39594->39591 39597 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39594->39597 39596 414cf6 39595->39596 39598 405d40 RtlAllocateHeap 39596->39598 39599 414b06 39597->39599 39600 414cfd 39598->39600 39602 405d40 RtlAllocateHeap 39599->39602 39604 408050 RtlAllocateHeap 39600->39604 39601->39601 39607 419470 RtlAllocateHeap 39601->39607 39613 414b0e 39602->39613 39606 414d09 39604->39606 39605 4150b7 39998 419890 RtlAllocateHeap 39605->39998 39606->39520 39611 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39606->39611 39609 415378 39607->39609 39612 418df0 RtlAllocateHeap 39609->39612 39610 4150bc 39999 41d869 RtlAllocateHeap std::invalid_argument::invalid_argument Concurrency::details::SchedulerBase::Initialize 39610->39999 39615 414d26 39611->39615 39618 4153d7 39612->39618 39616 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39613->39616 39617 405d40 RtlAllocateHeap 39615->39617 39620 414b69 Concurrency::details::ResourceManager::Release 39616->39620 39621 414d2e 39617->39621 39624 415455 Concurrency::details::ResourceManager::Release 39618->39624 40000 41a330 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize std::_Rethrow_future_exception 39618->40000 39620->39591 39620->39634 39994 4093c0 RtlAllocateHeap Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize 39620->39994 39621->39605 39622 414d7a 39621->39622 39625 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39622->39625 39626 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39624->39626 39630 414d98 Concurrency::details::ResourceManager::Release 39625->39630 39635 41551d Concurrency::details::ResourceManager::Release 39626->39635 39627 414bf5 __dosmaperr 39627->39634 39995 43a0d9 GetPEB GetPEB RtlAllocateHeap 39627->39995 39628 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39631 414e25 39628->39631 39630->39520 39630->39628 39633 405d40 RtlAllocateHeap 39631->39633 39632 414c1d 39632->39591 39632->39634 39639 414e2d 39633->39639 39634->39549 39634->39610 39636 4044b0 RtlAllocateHeap 39635->39636 39637 4155bd 39636->39637 39638 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39637->39638 39640 4155d7 39638->39640 39641 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39639->39641 39642 405d40 RtlAllocateHeap 39640->39642 39649 414e88 Concurrency::details::ResourceManager::Release 39641->39649 39643 4155e2 39642->39643 39644 4044b0 RtlAllocateHeap 39643->39644 39645 4155f7 39644->39645 39646 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39645->39646 39648 41560b 39646->39648 39647 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39650 414f17 39647->39650 39651 405d40 RtlAllocateHeap 39648->39651 39649->39520 39649->39647 39652 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39650->39652 39653 415616 39651->39653 39654 414f2c 39652->39654 39655 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39653->39655 39656 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39654->39656 39657 415634 39655->39657 39658 414f47 39656->39658 39659 405d40 RtlAllocateHeap 39657->39659 39660 405d40 RtlAllocateHeap 39658->39660 39662 41563f 39659->39662 39661 414f4e 39660->39661 39665 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39661->39665 39663 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39662->39663 39664 41565d 39663->39664 39666 405d40 RtlAllocateHeap 39664->39666 39667 414f87 39665->39667 39668 415668 39666->39668 39669 4144b0 10 API calls 39667->39669 39670 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39668->39670 39669->39520 39671 415686 39670->39671 39672 405d40 RtlAllocateHeap 39671->39672 39673 415691 39672->39673 39674 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39673->39674 39675 4156af 39674->39675 39676 405d40 RtlAllocateHeap 39675->39676 39677 4156ba 39676->39677 39678 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39677->39678 39679 4156d8 39678->39679 39680 405d40 RtlAllocateHeap 39679->39680 39681 4156e3 39680->39681 39682 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39681->39682 39683 415701 39682->39683 39684 405d40 RtlAllocateHeap 39683->39684 39685 41570c 39684->39685 39686 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39685->39686 39687 41572a 39686->39687 39688 405d40 RtlAllocateHeap 39687->39688 39689 415735 39688->39689 39690 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39689->39690 39691 415751 39690->39691 39692 405d40 RtlAllocateHeap 39691->39692 39693 41575c 39692->39693 39694 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39693->39694 39695 415773 39694->39695 39696 405d40 RtlAllocateHeap 39695->39696 39697 41577e 39696->39697 39698 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39697->39698 39699 415795 39698->39699 39700 405d40 RtlAllocateHeap 39699->39700 39701 4157a0 39700->39701 39702 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39701->39702 39703 4157bc 39702->39703 39704 405d40 RtlAllocateHeap 39703->39704 39705 4157c7 39704->39705 39706 4199b0 RtlAllocateHeap 39705->39706 39707 4157db 39706->39707 39708 4198b0 RtlAllocateHeap 39707->39708 39709 4157ef 39708->39709 39710 4198b0 RtlAllocateHeap 39709->39710 39711 415803 39710->39711 39712 4198b0 RtlAllocateHeap 39711->39712 39713 415817 39712->39713 39714 4199b0 RtlAllocateHeap 39713->39714 39715 41582b 39714->39715 39716 4198b0 RtlAllocateHeap 39715->39716 39717 41583f 39716->39717 39718 4199b0 RtlAllocateHeap 39717->39718 39719 415853 39718->39719 39720 4198b0 RtlAllocateHeap 39719->39720 39721 415867 39720->39721 39722 4199b0 RtlAllocateHeap 39721->39722 39723 41587b 39722->39723 39724 4198b0 RtlAllocateHeap 39723->39724 39725 41588f 39724->39725 39726 4199b0 RtlAllocateHeap 39725->39726 39727 4158a3 39726->39727 39728 4198b0 RtlAllocateHeap 39727->39728 39729 4158b7 39728->39729 39730 4199b0 RtlAllocateHeap 39729->39730 39731 4158cb 39730->39731 39732 4198b0 RtlAllocateHeap 39731->39732 39733 4158df 39732->39733 39734 4199b0 RtlAllocateHeap 39733->39734 39735 4158f3 39734->39735 39736 4198b0 RtlAllocateHeap 39735->39736 39737 415907 39736->39737 39738 4199b0 RtlAllocateHeap 39737->39738 39739 41591b 39738->39739 39740 4198b0 RtlAllocateHeap 39739->39740 39741 41592f 39740->39741 39742 4199b0 RtlAllocateHeap 39741->39742 39743 415943 39742->39743 39744 4198b0 RtlAllocateHeap 39743->39744 39745 415957 39744->39745 39746 4198b0 RtlAllocateHeap 39745->39746 39747 41596b 39746->39747 39748 4198b0 RtlAllocateHeap 39747->39748 39749 41597f 39748->39749 39750 4199b0 RtlAllocateHeap 39749->39750 39753 415993 Concurrency::details::ResourceManager::Release 39750->39753 39751 416627 39754 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39751->39754 39752 41677b 39755 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39752->39755 39753->39751 39753->39752 39757 41663d 39754->39757 39756 416790 39755->39756 39758 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39756->39758 39759 405d40 RtlAllocateHeap 39757->39759 39760 4167a5 39758->39760 39761 416648 39759->39761 40001 404940 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback 39760->40001 39763 4199b0 RtlAllocateHeap 39761->39763 39774 41665c Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 39763->39774 39764 4167b4 39765 418df0 RtlAllocateHeap 39764->39765 39771 4167fb 39765->39771 39766 4168f6 39767 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39766->39767 39768 41690c 39767->39768 39769 405d40 RtlAllocateHeap 39768->39769 39770 416917 39769->39770 39773 4198b0 RtlAllocateHeap 39770->39773 39771->39766 39772 41a330 RtlAllocateHeap 39771->39772 39772->39771 39773->39774 39774->39329 39798 49f04c1 39775->39798 39776 4061bf LookupAccountNameA 39777 406212 39776->39777 39778 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39777->39778 39779 406226 39778->39779 39780 405d40 RtlAllocateHeap 39779->39780 39781 406231 39780->39781 40011 4021c0 39781->40011 39783 406249 Concurrency::details::ResourceManager::Release 39784 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39783->39784 39796 406463 Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 39783->39796 39785 4062b2 39784->39785 39786 405d40 RtlAllocateHeap 39785->39786 39787 4062bd 39786->39787 39788 4021c0 3 API calls 39787->39788 39797 4062d7 Concurrency::details::ResourceManager::Release 39788->39797 39789 4063d2 39790 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39789->39790 39792 40641c 39790->39792 39791 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39791->39797 39793 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39792->39793 39793->39796 39794 405d40 RtlAllocateHeap 39794->39797 39795 4021c0 3 API calls 39795->39797 39796->39238 39797->39789 39797->39791 39797->39794 39797->39795 39797->39796 39798->39776 39806 406548 Concurrency::details::ResourceManager::Release 39799->39806 39808 406821 39799->39808 39800 4068e3 40039 419890 RtlAllocateHeap 39800->40039 39801 406844 39802 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39801->39802 39804 406863 Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 39802->39804 39804->39244 39805 419750 RtlAllocateHeap Concurrency::details::_CancellationTokenState::_RegisterCallback 39805->39806 39806->39800 39806->39804 39806->39805 39807 41a910 RtlAllocateHeap 39806->39807 39806->39808 39807->39806 39808->39800 39808->39801 39810 407916 Concurrency::details::SchedulerBase::Initialize 39809->39810 39811 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39810->39811 39850 407a68 Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 39810->39850 39812 407947 39811->39812 39813 405d40 RtlAllocateHeap 39812->39813 39814 407952 39813->39814 39815 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39814->39815 39816 407974 39815->39816 39817 405d40 RtlAllocateHeap 39816->39817 39819 40797f Concurrency::details::ResourceManager::Release 39817->39819 39818 407a53 GetNativeSystemInfo 39820 407a57 39818->39820 39819->39818 39819->39820 39819->39850 39821 407b94 39820->39821 39822 407abf 39820->39822 39820->39850 39823 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39821->39823 39824 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39822->39824 39825 407bc0 39823->39825 39826 407ae0 39824->39826 39827 405d40 RtlAllocateHeap 39825->39827 39828 405d40 RtlAllocateHeap 39826->39828 39829 407bc7 39827->39829 39830 407ae7 39828->39830 39832 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39829->39832 39831 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39830->39831 39833 407aff 39831->39833 39834 407bdf 39832->39834 39835 405d40 RtlAllocateHeap 39833->39835 39836 405d40 RtlAllocateHeap 39834->39836 39837 407b06 39835->39837 39838 407be6 39836->39838 39839 405e90 4 API calls 39837->39839 39840 405e90 4 API calls 39838->39840 39841 407b1b 39839->39841 39842 407bf7 39840->39842 40040 43a1e1 GetPEB GetPEB RtlAllocateHeap 39841->40040 39843 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39842->39843 39845 407c12 39843->39845 39846 405d40 RtlAllocateHeap 39845->39846 39847 407c19 39846->39847 40041 405860 RtlAllocateHeap Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 39847->40041 39849 407c28 39851 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39849->39851 39850->39247 39852 407c63 39851->39852 39853 405d40 RtlAllocateHeap 39852->39853 39854 407c6a 39853->39854 39855 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39854->39855 39856 407c82 39855->39856 39857 405d40 RtlAllocateHeap 39856->39857 39858 407c89 39857->39858 39859 405e90 4 API calls 39858->39859 39860 407c9a 39859->39860 39861 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39860->39861 39862 407cb5 39861->39862 39863 405d40 RtlAllocateHeap 39862->39863 39864 407cbc 39863->39864 40042 405860 RtlAllocateHeap Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 39864->40042 39866 407ccb 39867 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39866->39867 39868 407d06 39867->39868 39869 405d40 RtlAllocateHeap 39868->39869 39870 407d0d 39869->39870 39871 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39870->39871 39872 407d25 39871->39872 39873 405d40 RtlAllocateHeap 39872->39873 39874 407d2c 39873->39874 39875 405e90 4 API calls 39874->39875 39876 407d3d 39875->39876 39877 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39876->39877 39878 407d58 39877->39878 39879 405d40 RtlAllocateHeap 39878->39879 39880 407d5f 39879->39880 40043 405860 RtlAllocateHeap Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 39880->40043 39883 4044d4 39882->39883 39883->39883 39884 404547 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 39883->39884 39885 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39883->39885 39884->39251 39885->39884 39887 407eb5 Concurrency::details::SchedulerBase::Initialize 39886->39887 39888 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39887->39888 39897 407ed3 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 39887->39897 39889 407eec 39888->39889 39890 405d40 RtlAllocateHeap 39889->39890 39891 407ef7 39890->39891 39892 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39891->39892 39893 407f19 39892->39893 39894 405d40 RtlAllocateHeap 39893->39894 39895 407f24 Concurrency::details::ResourceManager::Release 39894->39895 39896 407ff4 GetNativeSystemInfo 39895->39896 39895->39897 39896->39897 39897->39254 40044 435780 39898->40044 39901 405f41 RegCloseKey 39903 405f67 39901->39903 39902 405f17 RegQueryValueExA 39902->39901 39903->39903 39904 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39903->39904 39905 405f7f Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 39904->39905 39905->39302 39909 419491 __InternalCxxFrameHandler 39906->39909 39910 4194bc 39906->39910 39907 4195b0 40047 41a900 RtlAllocateHeap Concurrency::details::_CancellationTokenState::_RegisterCallback 39907->40047 39909->39321 39910->39907 39911 4195ab 39910->39911 39913 419510 39910->39913 39914 419537 39910->39914 40046 402380 RtlAllocateHeap ___std_exception_copy Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize 39911->40046 39913->39911 39915 41951b 39913->39915 39916 41ea77 Concurrency::details::SchedulerBase::Initialize RtlAllocateHeap 39914->39916 39918 419521 Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback std::_Rethrow_future_exception 39914->39918 39917 41ea77 Concurrency::details::SchedulerBase::Initialize RtlAllocateHeap 39915->39917 39916->39918 39917->39918 39918->39321 39920 418e0b 39919->39920 39930 418ef4 Concurrency::details::ResourceManager::Release std::_Rethrow_future_exception 39919->39930 39922 418e8b Concurrency::details::_CancellationTokenState::_RegisterCallback std::_Rethrow_future_exception 39920->39922 39924 418ea1 39920->39924 39925 418e7a 39920->39925 39920->39930 39922->39930 40048 41a900 RtlAllocateHeap Concurrency::details::_CancellationTokenState::_RegisterCallback 39922->40048 39923 418f86 40049 402380 RtlAllocateHeap ___std_exception_copy Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize 39923->40049 39924->39922 39929 41ea77 Concurrency::details::SchedulerBase::Initialize RtlAllocateHeap 39924->39929 39925->39923 39928 41ea77 Concurrency::details::SchedulerBase::Initialize RtlAllocateHeap 39925->39928 39927 418f8b 39928->39922 39929->39922 39930->39331 39931->39340 39932->39345 39936->39329 39937->39331 39939 4199c9 39938->39939 39940 4199dd __InternalCxxFrameHandler 39939->39940 40050 41a5d0 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize std::_Rethrow_future_exception 39939->40050 39940->39419 39942->39476 39945 41379f 39944->39945 39952 413f8f Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 39944->39952 39946 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39945->39946 39947 4137d0 39946->39947 39948 414447 39947->39948 39950 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39947->39950 40006 419890 RtlAllocateHeap 39948->40006 39953 41381f 39950->39953 39951 41444c 40007 419890 RtlAllocateHeap 39951->40007 39952->39532 39953->39948 39955 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39953->39955 39956 413863 39955->39956 39956->39948 39957 413885 39956->39957 39958 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39957->39958 39960 4138a5 39958->39960 39959 414451 Concurrency::details::_CancellationTokenState::_RegisterCallback 40008 419890 RtlAllocateHeap 39959->40008 39961 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39960->39961 39963 4138b8 39961->39963 39965 405d40 RtlAllocateHeap 39963->39965 39964 413c9a Concurrency::details::_CancellationTokenState::_RegisterCallback 39979 413ca9 Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback 39964->39979 40009 41d829 RtlAllocateHeap std::invalid_argument::invalid_argument Concurrency::details::SchedulerBase::Initialize 39964->40009 39966 4138c3 39965->39966 39966->39951 39968 41390f 39966->39968 39969 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39968->39969 39972 413931 Concurrency::details::ResourceManager::Release 39969->39972 39972->39959 40002 4093c0 RtlAllocateHeap Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize 39972->40002 39973 413992 39974 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39973->39974 39973->39979 39975 4139a9 39974->39975 39976 405d40 RtlAllocateHeap 39975->39976 39977 4139b4 39976->39977 39978 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39977->39978 39980 4139fc Concurrency::details::ResourceManager::Release 39978->39980 39979->39952 40010 41d869 RtlAllocateHeap std::invalid_argument::invalid_argument Concurrency::details::SchedulerBase::Initialize 39979->40010 39980->39959 39981 413add 39980->39981 39992 413bd7 __dosmaperr Concurrency::details::ResourceManager::Release 39980->39992 39982 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39981->39982 39984 413afa 39982->39984 40003 40a820 4 API calls 3 library calls 39984->40003 39986 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39987 413bb6 39986->39987 39989 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 39987->39989 39988 413b05 Concurrency::details::ResourceManager::Release 39988->39964 39988->39986 39990 413bc8 39989->39990 40004 404940 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback 39990->40004 39992->39964 40005 43a0d9 GetPEB GetPEB RtlAllocateHeap 39992->40005 39994->39627 39995->39632 39999->39520 40000->39618 40001->39764 40002->39973 40003->39988 40004->39992 40005->39964 40010->39952 40014 402180 40011->40014 40015 402196 40014->40015 40018 439dc7 40015->40018 40021 438bb6 40018->40021 40020 4021a4 40020->39783 40022 438bf6 40021->40022 40024 438bde __cftof __dosmaperr __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 40021->40024 40022->40024 40027 437f9a 40022->40027 40024->40020 40025 438c0e 40035 439171 GetPEB GetPEB RtlAllocateHeap __cftof __dosmaperr 40025->40035 40028 437fb1 40027->40028 40029 437fba 40027->40029 40028->40025 40029->40028 40036 43bc91 GetPEB GetPEB __dosmaperr __freea CallUnexpected 40029->40036 40031 437fda 40037 43cc1b GetPEB GetPEB __cftof 40031->40037 40033 437ff0 40038 43cc48 GetPEB GetPEB __cftof 40033->40038 40035->40024 40036->40031 40037->40033 40038->40028 40040->39850 40041->39849 40042->39866 40043->39850 40045 405ee4 RegOpenKeyExA 40044->40045 40045->39901 40045->39902 40046->39907 40049->39927 40050->39940 40052 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40051->40052 40053 417ed2 40052->40053 40054 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40053->40054 40055 417ee4 40054->40055 40056 408050 RtlAllocateHeap 40055->40056 40057 417eed 40056->40057 40058 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40057->40058 40059 418157 40058->40059 40096 4142cb 40117 40c650 40096->40117 40098 4142d2 40099 40cda0 RegSetValueExA RtlAllocateHeap 40098->40099 40100 4142d7 40099->40100 40101 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40100->40101 40102 4142f1 40101->40102 40103 405d40 RtlAllocateHeap 40102->40103 40104 4142f8 40103->40104 40105 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40104->40105 40106 41430e 40105->40106 40107 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40106->40107 40108 414326 40107->40108 40109 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40108->40109 40110 41433e 40109->40110 40111 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40110->40111 40112 414350 40111->40112 40113 40dd40 GetFileAttributesA CreateDirectoryA GetFileAttributesA RtlAllocateHeap 40112->40113 40114 414359 40113->40114 40115 40a470 RtlAllocateHeap 40114->40115 40116 414361 40115->40116 40116->40116 40118 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40117->40118 40119 40c6a2 40118->40119 40120 405d40 RtlAllocateHeap 40119->40120 40121 40c6ad 40120->40121 40134 40bfad 40139 437e47 40134->40139 40136 40bfb3 40137 437e47 2 API calls 40136->40137 40138 40c00f Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 40137->40138 40141 437e53 ___scrt_is_nonwritable_in_current_image ___scrt_uninitialize_crt 40139->40141 40140 437e5d __cftof __dosmaperr 40140->40136 40141->40140 40143 437dd0 2 API calls 4 library calls 40141->40143 40143->40140 40144 43c273 40149 43c049 40144->40149 40146 43c289 40148 43c2b2 40146->40148 40157 4430bc 40146->40157 40150 43c068 40149->40150 40150->40150 40155 43c07b __cftof __dosmaperr 40150->40155 40160 44294b GetPEB GetPEB __cftof __dosmaperr 40150->40160 40152 43c200 40152->40155 40161 44294b GetPEB GetPEB __cftof __dosmaperr 40152->40161 40154 43c21e 40154->40155 40162 44294b GetPEB GetPEB __cftof __dosmaperr 40154->40162 40155->40146 40163 442a81 40157->40163 40159 4430d7 40159->40148 40160->40152 40161->40154 40162->40155 40164 442a8d ___scrt_is_nonwritable_in_current_image 40163->40164 40166 442a94 __cftof __dosmaperr __wsopen_s 40164->40166 40167 44304e 40164->40167 40166->40159 40174 43801d 40167->40174 40169 443070 40177 437f7d 40169->40177 40173 443084 __freea 40173->40166 40175 437f9a __cftof 2 API calls 40174->40175 40176 43802f _unexpected 40175->40176 40176->40169 40194 437ecb 40177->40194 40179 437f95 40179->40173 40180 4430dc 40179->40180 40181 4430f9 __wsopen_s 40180->40181 40191 44310e __dosmaperr __wsopen_s 40181->40191 40203 442d95 CreateFileW 40181->40203 40183 443202 GetFileType 40186 443254 __wsopen_s 40183->40186 40183->40191 40184 443185 40184->40183 40184->40191 40204 442d95 CreateFileW 40184->40204 40188 4432c1 40186->40188 40205 442fa4 GetPEB GetPEB RtlAllocateHeap __dosmaperr __wsopen_s 40186->40205 40187 4431ca 40187->40183 40187->40191 40188->40191 40206 442b42 3 API calls 3 library calls 40188->40206 40191->40173 40192 4432f6 40192->40191 40207 442d95 CreateFileW 40192->40207 40195 437ef3 40194->40195 40200 437ed9 __dosmaperr _unexpected __fassign 40194->40200 40196 437efa 40195->40196 40198 437f19 __fassign 40195->40198 40196->40200 40201 438076 RtlAllocateHeap _unexpected 40196->40201 40198->40200 40202 438076 RtlAllocateHeap _unexpected 40198->40202 40200->40179 40201->40200 40202->40200 40203->40184 40204->40187 40205->40188 40206->40192 40207->40191 40208 407110 Sleep 40209 4071de 40208->40209 40210 407163 40208->40210 40212 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40209->40212 40223 41e7a6 SleepConditionVariableCS 40210->40223 40214 4071fa 40212->40214 40213 40716d 40213->40209 40224 41ece3 RtlAllocateHeap 40213->40224 40215 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40214->40215 40216 407213 40215->40216 40218 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40216->40218 40220 40722c CreateThread Sleep 40218->40220 40219 4071d4 40225 41e75c RtlWakeAllConditionVariable 40219->40225 40222 407259 Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback 40220->40222 40226 406fb0 40220->40226 40223->40213 40224->40219 40225->40209 40227 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40226->40227 40228 406fe5 40227->40228 40229 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40228->40229 40230 406ff8 40229->40230 40231 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40230->40231 40232 407008 40231->40232 40233 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40232->40233 40234 40701d 40233->40234 40235 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40234->40235 40236 407032 40235->40236 40237 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40236->40237 40238 407044 Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 40237->40238 40263 438377 40264 43837a 40263->40264 40277 43a20f 40264->40277 40266 438386 40267 4383a3 40266->40267 40268 438395 40266->40268 40270 43801d _unexpected GetPEB GetPEB 40267->40270 40269 4383f9 _unexpected 8 API calls 40268->40269 40271 43839f 40269->40271 40272 4383bd 40270->40272 40273 437f7d _unexpected RtlAllocateHeap 40272->40273 40274 4383ca 40273->40274 40275 4383f9 _unexpected 8 API calls 40274->40275 40276 4383d1 __freea 40274->40276 40275->40276 40278 43a214 __InternalCxxFrameHandler 40277->40278 40282 43a21f __InternalCxxFrameHandler 40278->40282 40283 43ec54 2 API calls 5 library calls 40278->40283 40281 43a252 40284 437c7d GetPEB GetPEB __InternalCxxFrameHandler 40282->40284 40283->40282 40284->40281 40297 409675 GetFileAttributesA 40298 409685 Concurrency::details::ResourceManager::Release 40297->40298 40299 40a3ec Concurrency::details::_CancellationTokenState::_RegisterCallback 40298->40299 40301 409750 Concurrency::details::ResourceManager::Release 40298->40301 40300 40a430 Sleep CreateMutexA 40299->40300 40303 40a45e 40300->40303 40302 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40301->40302 40304 40a3d3 40302->40304 40305 40a466 40303->40305 40308 437cb9 GetPEB GetPEB __InternalCxxFrameHandler 40303->40308 40307 40a46e 40308->40307 40309 41edf7 40319 41ee03 ___scrt_is_nonwritable_in_current_image __InternalCxxFrameHandler ___scrt_release_startup_lock 40309->40319 40310 41ef63 ___scrt_fastfail 40345 437cb9 GetPEB GetPEB __InternalCxxFrameHandler 40310->40345 40312 41ef70 40346 437c7d GetPEB GetPEB __InternalCxxFrameHandler 40312->40346 40314 41ef78 ___security_init_cookie 40316 41ef7e __scrt_common_main_seh 40314->40316 40315 41ee53 40317 41eed4 40328 43abdd 40317->40328 40319->40310 40319->40315 40319->40317 40344 437c93 9 API calls 5 library calls 40319->40344 40321 41eeda 40332 418360 40321->40332 40329 43abe6 40328->40329 40331 43abeb 40328->40331 40347 43a941 40329->40347 40331->40321 40371 40a430 Sleep CreateMutexA 40332->40371 40335 40c650 RtlAllocateHeap 40336 418375 40335->40336 40376 40cee0 40336->40376 40338 41837a 40409 4150e0 40338->40409 40340 41837f 40341 4144b0 10 API calls 40340->40341 40342 4148d0 10 API calls 40340->40342 40343 4150e0 10 API calls 40340->40343 40341->40340 40342->40340 40343->40340 40344->40317 40345->40312 40346->40314 40348 43a94a 40347->40348 40349 43a957 40347->40349 40348->40349 40351 43a96d 40348->40351 40349->40331 40352 43a976 40351->40352 40353 43a979 40351->40353 40352->40349 40358 43fc89 40353->40358 40357 43a985 __freea 40357->40349 40359 43fc92 40358->40359 40363 43a980 40358->40363 40368 43bd4e GetPEB GetPEB __dosmaperr __freea CallUnexpected 40359->40368 40361 43fcb5 40369 43fad0 3 API calls 4 library calls 40361->40369 40364 44002a 40363->40364 40365 440038 __cftof 40364->40365 40366 44006a __cftof __freea 40365->40366 40370 43c66b RtlAllocateHeap __dosmaperr Concurrency::details::SchedulerBase::Initialize 40365->40370 40366->40357 40368->40361 40369->40363 40370->40366 40372 40a45e 40371->40372 40373 40a466 40372->40373 40570 437cb9 GetPEB GetPEB __InternalCxxFrameHandler 40372->40570 40373->40335 40375 40a46e 40377 40cf2c 40376->40377 40378 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40377->40378 40379 40cf61 40378->40379 40380 405d40 RtlAllocateHeap 40379->40380 40381 40cf6c 40380->40381 40571 419d10 40381->40571 40383 40cf88 40384 4198b0 RtlAllocateHeap 40383->40384 40386 40cf9d Concurrency::details::ResourceManager::Release 40384->40386 40385 40d37a Concurrency::details::_CancellationTokenState::_RegisterCallback 40387 437e47 2 API calls 40385->40387 40386->40385 40390 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40386->40390 40388 40d385 40387->40388 40583 419050 RtlAllocateHeap Concurrency::details::_CancellationTokenState::_RegisterCallback 40388->40583 40393 40d16c Concurrency::details::ResourceManager::Release 40390->40393 40391 40d39a 40392 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40391->40392 40408 40d2c8 40392->40408 40393->40385 40395 40d2d1 Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 40393->40395 40398 40d222 40393->40398 40395->40338 40396 40d3c8 40585 437cb9 GetPEB GetPEB __InternalCxxFrameHandler 40396->40585 40399 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40398->40399 40405 40d279 40398->40405 40401 40d26b 40399->40401 40580 408c80 RtlAllocateHeap __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 40401->40580 40402 40d290 40402->40396 40582 419050 RtlAllocateHeap Concurrency::details::_CancellationTokenState::_RegisterCallback 40402->40582 40581 408250 GetPEB GetPEB 40405->40581 40406 40d2ad 40407 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40406->40407 40407->40408 40584 419050 RtlAllocateHeap Concurrency::details::_CancellationTokenState::_RegisterCallback 40408->40584 40410 406160 5 API calls 40409->40410 40411 415135 40410->40411 40412 4064d0 RtlAllocateHeap 40411->40412 40414 415145 Concurrency::details::ResourceManager::Release 40412->40414 40413 4078b0 8 API calls 40416 41520d 40413->40416 40414->40413 40415 416d66 Concurrency::details::_CancellationTokenState::_RegisterCallback 40414->40415 40417 4044b0 RtlAllocateHeap 40416->40417 40418 41521a 40417->40418 40419 407e50 2 API calls 40418->40419 40420 415226 40419->40420 40421 4044b0 RtlAllocateHeap 40420->40421 40422 415233 40421->40422 40423 4044b0 RtlAllocateHeap 40422->40423 40424 415250 40423->40424 40425 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40424->40425 40426 41526e 40425->40426 40427 405d40 RtlAllocateHeap 40426->40427 40428 415275 40427->40428 40429 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40428->40429 40430 41528a 40429->40430 40431 405d40 RtlAllocateHeap 40430->40431 40432 415291 40431->40432 40433 405e90 4 API calls 40432->40433 40434 4152a3 40433->40434 40435 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40434->40435 40436 41530c 40435->40436 40437 419470 RtlAllocateHeap 40436->40437 40438 415378 40437->40438 40439 418df0 RtlAllocateHeap 40438->40439 40440 4153d7 40439->40440 40442 415455 Concurrency::details::ResourceManager::Release 40440->40442 40588 41a330 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize std::_Rethrow_future_exception 40440->40588 40443 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40442->40443 40444 41551d Concurrency::details::ResourceManager::Release 40443->40444 40445 4044b0 RtlAllocateHeap 40444->40445 40446 4155bd 40445->40446 40447 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40446->40447 40448 4155d7 40447->40448 40449 405d40 RtlAllocateHeap 40448->40449 40450 4155e2 40449->40450 40451 4044b0 RtlAllocateHeap 40450->40451 40452 4155f7 40451->40452 40453 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40452->40453 40454 41560b 40453->40454 40455 405d40 RtlAllocateHeap 40454->40455 40456 415616 40455->40456 40457 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40456->40457 40458 415634 40457->40458 40459 405d40 RtlAllocateHeap 40458->40459 40460 41563f 40459->40460 40461 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40460->40461 40462 41565d 40461->40462 40463 405d40 RtlAllocateHeap 40462->40463 40464 415668 40463->40464 40465 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40464->40465 40466 415686 40465->40466 40467 405d40 RtlAllocateHeap 40466->40467 40468 415691 40467->40468 40469 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40468->40469 40470 4156af 40469->40470 40471 405d40 RtlAllocateHeap 40470->40471 40472 4156ba 40471->40472 40473 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40472->40473 40474 4156d8 40473->40474 40475 405d40 RtlAllocateHeap 40474->40475 40476 4156e3 40475->40476 40477 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40476->40477 40478 415701 40477->40478 40479 405d40 RtlAllocateHeap 40478->40479 40480 41570c 40479->40480 40481 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40480->40481 40482 41572a 40481->40482 40483 405d40 RtlAllocateHeap 40482->40483 40484 415735 40483->40484 40485 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40484->40485 40486 415751 40485->40486 40487 405d40 RtlAllocateHeap 40486->40487 40488 41575c 40487->40488 40489 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40488->40489 40490 415773 40489->40490 40491 405d40 RtlAllocateHeap 40490->40491 40492 41577e 40491->40492 40493 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40492->40493 40494 415795 40493->40494 40495 405d40 RtlAllocateHeap 40494->40495 40496 4157a0 40495->40496 40497 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40496->40497 40498 4157bc 40497->40498 40499 405d40 RtlAllocateHeap 40498->40499 40500 4157c7 40499->40500 40501 4199b0 RtlAllocateHeap 40500->40501 40502 4157db 40501->40502 40503 4198b0 RtlAllocateHeap 40502->40503 40504 4157ef 40503->40504 40505 4198b0 RtlAllocateHeap 40504->40505 40506 415803 40505->40506 40507 4198b0 RtlAllocateHeap 40506->40507 40508 415817 40507->40508 40509 4199b0 RtlAllocateHeap 40508->40509 40510 41582b 40509->40510 40511 4198b0 RtlAllocateHeap 40510->40511 40512 41583f 40511->40512 40513 4199b0 RtlAllocateHeap 40512->40513 40514 415853 40513->40514 40515 4198b0 RtlAllocateHeap 40514->40515 40516 415867 40515->40516 40517 4199b0 RtlAllocateHeap 40516->40517 40518 41587b 40517->40518 40519 4198b0 RtlAllocateHeap 40518->40519 40520 41588f 40519->40520 40521 4199b0 RtlAllocateHeap 40520->40521 40522 4158a3 40521->40522 40523 4198b0 RtlAllocateHeap 40522->40523 40524 4158b7 40523->40524 40525 4199b0 RtlAllocateHeap 40524->40525 40526 4158cb 40525->40526 40527 4198b0 RtlAllocateHeap 40526->40527 40528 4158df 40527->40528 40529 4199b0 RtlAllocateHeap 40528->40529 40530 4158f3 40529->40530 40531 4198b0 RtlAllocateHeap 40530->40531 40532 415907 40531->40532 40533 4199b0 RtlAllocateHeap 40532->40533 40534 41591b 40533->40534 40535 4198b0 RtlAllocateHeap 40534->40535 40536 41592f 40535->40536 40537 4199b0 RtlAllocateHeap 40536->40537 40538 415943 40537->40538 40539 4198b0 RtlAllocateHeap 40538->40539 40540 415957 40539->40540 40541 4198b0 RtlAllocateHeap 40540->40541 40542 41596b 40541->40542 40543 4198b0 RtlAllocateHeap 40542->40543 40544 41597f 40543->40544 40545 4199b0 RtlAllocateHeap 40544->40545 40548 415993 Concurrency::details::ResourceManager::Release 40545->40548 40546 416627 40549 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40546->40549 40547 41677b 40550 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40547->40550 40548->40546 40548->40547 40552 41663d 40549->40552 40551 416790 40550->40551 40553 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40551->40553 40554 405d40 RtlAllocateHeap 40552->40554 40555 4167a5 40553->40555 40556 416648 40554->40556 40589 404940 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback 40555->40589 40558 4199b0 RtlAllocateHeap 40556->40558 40569 41665c Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 40558->40569 40559 4167b4 40560 418df0 RtlAllocateHeap 40559->40560 40566 4167fb 40560->40566 40561 4168f6 40562 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40561->40562 40563 41690c 40562->40563 40564 405d40 RtlAllocateHeap 40563->40564 40565 416917 40564->40565 40568 4198b0 RtlAllocateHeap 40565->40568 40566->40561 40567 41a330 RtlAllocateHeap 40566->40567 40567->40566 40568->40569 40569->40340 40570->40375 40572 419d70 40571->40572 40572->40572 40573 418df0 RtlAllocateHeap 40572->40573 40574 419d89 40573->40574 40576 419da4 __InternalCxxFrameHandler 40574->40576 40586 41a5d0 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize std::_Rethrow_future_exception 40574->40586 40577 419df9 __InternalCxxFrameHandler 40576->40577 40587 41a5d0 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize std::_Rethrow_future_exception 40576->40587 40577->40383 40579 419e41 40579->40383 40580->40405 40581->40402 40582->40406 40583->40391 40584->40396 40585->40395 40586->40576 40587->40579 40588->40440 40589->40559 40590 43d6f5 40591 43d71f 40590->40591 40593 43d78a __cftof __dosmaperr __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 40590->40593 40591->40593 40594 443f4b 40591->40594 40595 443f57 ___scrt_is_nonwritable_in_current_image __InternalCxxFrameHandler 40594->40595 40597 443f7c 40595->40597 40598 443e6d 40595->40598 40597->40593 40600 443eb9 40598->40600 40599 443ec0 __freea 40602 443f30 40599->40602 40603 443f27 40599->40603 40600->40599 40646 43c66b RtlAllocateHeap __dosmaperr Concurrency::details::SchedulerBase::Initialize 40600->40646 40606 443f2d __freea __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 40602->40606 40631 443d12 40602->40631 40607 443b37 40603->40607 40606->40597 40609 443b46 __freea 40607->40609 40608 443ca0 __cftof 40611 443d64 __freea 40608->40611 40612 443e62 __cftof 40608->40612 40629 443ce8 40608->40629 40609->40608 40609->40629 40647 43c66b RtlAllocateHeap __dosmaperr Concurrency::details::SchedulerBase::Initialize 40609->40647 40613 443d6f GetTimeZoneInformation 40611->40613 40622 443ec0 __freea 40612->40622 40652 43c66b RtlAllocateHeap __dosmaperr Concurrency::details::SchedulerBase::Initialize 40612->40652 40619 443d8b 40613->40619 40625 443dde __cftof 40613->40625 40615 443f30 40617 443d12 4 API calls 40615->40617 40620 443f2d __freea __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 40615->40620 40616 443f27 40618 443b37 4 API calls 40616->40618 40617->40620 40618->40620 40651 440537 GetPEB GetPEB __cftof _unexpected 40619->40651 40620->40606 40622->40615 40622->40616 40623 443bd6 __freea ___std_exception_copy 40623->40608 40623->40629 40648 43a1e1 GetPEB GetPEB RtlAllocateHeap 40623->40648 40625->40606 40626 443c4a 40626->40608 40649 43a1e1 GetPEB GetPEB RtlAllocateHeap 40626->40649 40628 443c71 40628->40608 40650 43a1e1 GetPEB GetPEB RtlAllocateHeap 40628->40650 40629->40606 40632 443d21 40631->40632 40633 443e62 __cftof 40632->40633 40634 443d64 __freea 40632->40634 40644 443ec0 __freea 40633->40644 40654 43c66b RtlAllocateHeap __dosmaperr Concurrency::details::SchedulerBase::Initialize 40633->40654 40635 443d6f GetTimeZoneInformation 40634->40635 40641 443d8b 40635->40641 40645 443dde __cftof 40635->40645 40637 443f30 40639 443d12 4 API calls 40637->40639 40642 443f2d __freea __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 40637->40642 40638 443f27 40640 443b37 4 API calls 40638->40640 40639->40642 40640->40642 40653 440537 GetPEB GetPEB __cftof _unexpected 40641->40653 40642->40606 40644->40637 40644->40638 40645->40606 40646->40599 40647->40623 40648->40626 40649->40628 40650->40608 40651->40625 40652->40622 40653->40645 40654->40644 40655 40b3fc 40656 40b406 Concurrency::details::SchedulerBase::Initialize 40655->40656 40658 40b562 Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 40655->40658 40657 40b426 CreateFileA 40656->40657 40659 40b463 InternetOpenUrlA InternetReadFile 40657->40659 40660 40b4c7 InternetCloseHandle InternetCloseHandle 40659->40660 40661 40b498 40659->40661 40664 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40660->40664 40661->40660 40662 40b4a7 WriteFile InternetReadFile 40661->40662 40662->40660 40662->40661 40665 40b4ea Concurrency::details::ResourceManager::Release 40664->40665 40665->40658 40669 4380d4 GetPEB GetPEB RtlAllocateHeap _unexpected __freea 40665->40669 40667 40b554 40670 4068f0 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback 40667->40670 40669->40667 40670->40658 40671 412f7c 40672 412f8d Concurrency::details::ResourceManager::Release 40671->40672 40673 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40672->40673 40674 412fe9 Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 40672->40674 40675 412fca 40673->40675 40676 405d40 RtlAllocateHeap 40675->40676 40677 412fd1 40676->40677 40678 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40677->40678 40679 412fe0 40678->40679 40681 407330 40679->40681 40682 419d10 RtlAllocateHeap 40681->40682 40683 407371 40682->40683 40684 4199b0 RtlAllocateHeap 40683->40684 40687 407383 Concurrency::details::ResourceManager::Release 40684->40687 40685 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40686 4073e1 40685->40686 40688 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40686->40688 40687->40685 40693 407426 Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ Concurrency::details::_CancellationTokenState::_RegisterCallback 40687->40693 40689 4073fc 40688->40689 40690 405d40 RtlAllocateHeap 40689->40690 40691 407403 40690->40691 40692 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40691->40692 40692->40693 40693->40674 40718 4132fe 40722 413302 Concurrency::details::ResourceManager::Release 40718->40722 40719 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40723 413356 40719->40723 40720 413633 Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 40721 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40731 413372 Concurrency::details::ResourceManager::Release Concurrency::details::SchedulerBase::Initialize 40721->40731 40722->40719 40722->40720 40722->40731 40724 405d40 RtlAllocateHeap 40723->40724 40725 413361 40724->40725 40726 4199b0 RtlAllocateHeap 40725->40726 40726->40731 40727 4134d3 InternetReadFile 40728 413502 InternetCloseHandle InternetCloseHandle 40727->40728 40729 4134ee InternetCloseHandle InternetCloseHandle 40727->40729 40728->40731 40756 406c20 40729->40756 40731->40720 40731->40721 40731->40727 40732 4135bd 40731->40732 40736 41355c 40731->40736 40733 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40732->40733 40734 4135d4 40733->40734 40735 405d40 RtlAllocateHeap 40734->40735 40737 4135db 40735->40737 40738 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40736->40738 40739 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40737->40739 40740 413573 40738->40740 40742 4135ee 40739->40742 40741 405d40 RtlAllocateHeap 40740->40741 40743 41357a 40741->40743 40744 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40742->40744 40746 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40743->40746 40745 413603 40744->40745 40747 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40745->40747 40748 41358d 40746->40748 40749 4135b7 40747->40749 40750 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40748->40750 40752 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40749->40752 40751 4135a2 40750->40751 40753 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40751->40753 40754 41362a 40752->40754 40753->40749 40765 40dd40 40754->40765 40759 406c52 Concurrency::details::SchedulerBase::Initialize 40756->40759 40757 406e09 VirtualFree 40758 406e29 __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 40757->40758 40758->40731 40759->40757 40760 406c80 CreateProcessA 40759->40760 40760->40757 40761 406cb9 VirtualAlloc Wow64GetThreadContext 40760->40761 40761->40757 40762 406ce7 ReadProcessMemory 40761->40762 40763 406d2c VirtualAllocEx 40762->40763 40763->40757 40764 406d4d 40763->40764 40764->40757 40766 40dd76 40765->40766 40767 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40766->40767 40768 40dd89 40767->40768 40769 405d40 RtlAllocateHeap 40768->40769 40770 40dd94 40769->40770 40771 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40770->40771 40772 40ddaf 40771->40772 40773 405d40 RtlAllocateHeap 40772->40773 40774 40ddba 40773->40774 40775 41a910 RtlAllocateHeap 40774->40775 40776 40ddcd 40775->40776 40777 4199b0 RtlAllocateHeap 40776->40777 40778 40de0f 40777->40778 40779 4198b0 RtlAllocateHeap 40778->40779 40780 40de20 40779->40780 40781 4199b0 RtlAllocateHeap 40780->40781 40782 40de31 40781->40782 40783 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40782->40783 40784 40dfde 40783->40784 40785 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40784->40785 40786 40dff3 40785->40786 40787 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40786->40787 40788 40e005 40787->40788 40789 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40788->40789 40790 40e026 40789->40790 40791 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40790->40791 40792 40e03e 40791->40792 40793 405d40 RtlAllocateHeap 40792->40793 40794 40e045 40793->40794 40795 408050 RtlAllocateHeap 40794->40795 40797 40e051 Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback 40795->40797 40796 40e2a9 Concurrency::details::ResourceManager::Release __ehhandler$??1UMSThreadProxy@details@Concurrency@@UAE@XZ 40796->40720 40797->40796 40798 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40797->40798 40799 40e32c 40798->40799 40800 405d40 RtlAllocateHeap 40799->40800 40801 40e334 40800->40801 40926 419a50 40801->40926 40803 40e349 40804 4198b0 RtlAllocateHeap 40803->40804 40805 40e358 GetFileAttributesA 40804->40805 40807 40e371 Concurrency::details::ResourceManager::Release 40805->40807 40809 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40807->40809 40833 40e4a4 Concurrency::details::ResourceManager::Release 40807->40833 40895 40e80d Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback 40807->40895 40808 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40811 40e573 40808->40811 40812 40e45e 40809->40812 40813 405d40 RtlAllocateHeap 40811->40813 40814 405d40 RtlAllocateHeap 40812->40814 40815 40e57b 40813->40815 40816 40e466 40814->40816 40818 419a50 RtlAllocateHeap 40815->40818 40819 419a50 RtlAllocateHeap 40816->40819 40821 40e590 40818->40821 40822 40e47b 40819->40822 40824 4198b0 RtlAllocateHeap 40821->40824 40825 4198b0 RtlAllocateHeap 40822->40825 40827 40e59f GetFileAttributesA 40824->40827 40828 40e48a CreateDirectoryA 40825->40828 40837 40e5b8 Concurrency::details::ResourceManager::Release 40827->40837 40828->40833 40833->40808 40840 40e692 40837->40840 40841 40eed4 40837->40841 40844 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40840->40844 40842 419750 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40841->40842 40842->40895 40845 40e6a1 40844->40845 40847 405d40 RtlAllocateHeap 40845->40847 40849 40e6a9 40847->40849 40851 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40849->40851 40855 40e6ba 40851->40855 40854 40eadc Concurrency::details::ResourceManager::Release 40854->40720 40934 4082a0 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback 40855->40934 40862 40e6c2 Concurrency::details::ResourceManager::Release 40863 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40862->40863 40864 40e787 40863->40864 40935 4082a0 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback 40864->40935 40867 40e792 40869 419090 Concurrency::details::_CancellationTokenState::_RegisterCallback RtlAllocateHeap 40867->40869 40870 40e7a9 40869->40870 40871 405d40 RtlAllocateHeap 40870->40871 40873 40e7b4 40871->40873 40875 419a50 RtlAllocateHeap 40873->40875 40877 40e7cc 40875->40877 40879 4198b0 RtlAllocateHeap 40877->40879 40881 40e7db 40879->40881 40883 4198b0 RtlAllocateHeap 40881->40883 40885 40e7ec 40883->40885 40936 419c70 RtlAllocateHeap __InternalCxxFrameHandler Concurrency::details::_CancellationTokenState::_RegisterCallback 40885->40936 40889 40e7fd 40892 4199b0 RtlAllocateHeap 40889->40892 40892->40895 40895->40854 40937 419890 RtlAllocateHeap 40895->40937 40927 418df0 RtlAllocateHeap 40926->40927 40928 419ac9 40927->40928 40930 419ae4 __InternalCxxFrameHandler 40928->40930 40938 41a5d0 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize std::_Rethrow_future_exception 40928->40938 40933 419b38 __InternalCxxFrameHandler 40930->40933 40939 41a5d0 RtlAllocateHeap Concurrency::details::ResourceManager::Release Concurrency::details::_CancellationTokenState::_RegisterCallback Concurrency::details::SchedulerBase::Initialize std::_Rethrow_future_exception 40930->40939 40932 419b7e 40932->40803 40933->40803 40934->40862 40935->40867 40936->40889 40938->40930 40939->40932

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 0040DD40 Relevance: 35.9, APIs: 2, Strings: 18, Instructions: 878COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: #$111$246122658369$4AJS7teoFA==$4AJS7xCZFC =$6f78c5$9QF$CgNm5NG2$IJ==$IzE+$Pgf$Qt==$SMs=$Sww=$Szpk$Ef$SF$vq
                                                                                                                                                                                                                                                          • API String ID: 0-2801895719
                                                                                                                                                                                                                                                          • Opcode ID: f3f65cc0d6593570b9c6de4c81da18e8e1a50c90f910bbaeddd4000689f1f034
                                                                                                                                                                                                                                                          • Instruction ID: 339638af745d8a299b3ffb7820b39da1073f1c841b4592a1a2d983ba98845356
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3f65cc0d6593570b9c6de4c81da18e8e1a50c90f910bbaeddd4000689f1f034
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E872E470900248DBEF14EF69C9497DE7FB5AF46308F60419EE805273C2D7795A88CB9A
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00443B37 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 374timeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 4060 443b37-443b5f call 443753 call 4437b1 4065 443d05-443d3a call 438317 call 443753 call 4437b1 4060->4065 4066 443b65-443b71 call 443759 4060->4066 4092 443d40-443d4c call 443759 4065->4092 4093 443e62-443ebe call 438317 call 44790e 4065->4093 4066->4065 4071 443b77-443b82 4066->4071 4073 443b84-443b86 4071->4073 4074 443bb8-443bc1 call 43c415 4071->4074 4076 443b88-443b8c 4073->4076 4083 443bc4-443bc9 4074->4083 4079 443b8e-443b90 4076->4079 4080 443ba8-443baa 4076->4080 4084 443ba4-443ba6 4079->4084 4085 443b92-443b98 4079->4085 4086 443bad-443baf 4080->4086 4083->4083 4088 443bcb-443bec call 43c66b call 43c415 4083->4088 4084->4086 4085->4080 4089 443b9a-443ba2 4085->4089 4090 443bb5 4086->4090 4091 443d01-443d04 4086->4091 4088->4091 4108 443bf2-443bf5 4088->4108 4089->4076 4089->4084 4090->4074 4092->4093 4102 443d52-443d5e call 443785 4092->4102 4110 443ec0-443ec6 4093->4110 4111 443ec8-443ecb 4093->4111 4102->4093 4109 443d64-443d85 call 43c415 GetTimeZoneInformation 4102->4109 4112 443bf8-443bfd 4108->4112 4122 443e40-443e61 call 44374d call 443741 call 443747 4109->4122 4123 443d8b-443dac 4109->4123 4115 443f0e-443f20 4110->4115 4114 443ecd-443edd call 43c66b 4111->4114 4111->4115 4112->4112 4116 443bff-443c11 call 43b811 4112->4116 4131 443ee7-443f00 call 44790e 4114->4131 4132 443edf 4114->4132 4119 443f30 4115->4119 4120 443f22-443f25 4115->4120 4116->4065 4135 443c17-443c2a call 446137 4116->4135 4127 443f35-443f4a call 43c415 call 41e681 4119->4127 4128 443f30 call 443d12 4119->4128 4120->4119 4125 443f27-443f2e call 443b37 4120->4125 4129 443db6-443dbd 4123->4129 4130 443dae-443db3 4123->4130 4125->4127 4128->4127 4138 443dcf-443dd1 4129->4138 4139 443dbf-443dc6 4129->4139 4130->4129 4155 443f05-443f0b call 43c415 4131->4155 4156 443f02-443f03 4131->4156 4137 443ee0-443ee5 call 43c415 4132->4137 4135->4065 4158 443c30-443c33 4135->4158 4159 443f0d 4137->4159 4147 443dd3-443dfc call 440537 call 43ff46 4138->4147 4139->4138 4146 443dc8-443dcd 4139->4146 4146->4147 4172 443dfe-443e01 4147->4172 4173 443e0a-443e0c 4147->4173 4155->4159 4156->4137 4163 443c35-443c39 4158->4163 4164 443c3b-443c41 4158->4164 4159->4115 4163->4158 4163->4164 4166 443c44-443c51 call 43a1e1 4164->4166 4167 443c43 4164->4167 4177 443c54-443c59 4166->4177 4167->4166 4172->4173 4175 443e03-443e08 4172->4175 4176 443e0e-443e2c call 43ff46 4173->4176 4175->4176 4183 443e2e-443e31 4176->4183 4184 443e3b-443e3e 4176->4184 4179 443c62-443c63 4177->4179 4180 443c5b-443c60 4177->4180 4179->4177 4180->4179 4182 443c65-443c68 4180->4182 4185 443cb6-443cb9 4182->4185 4186 443c6a-443c81 call 43a1e1 4182->4186 4183->4184 4187 443e33-443e39 4183->4187 4184->4122 4188 443cc0-443cd4 4185->4188 4189 443cbb-443cbd 4185->4189 4195 443c95-443c97 4186->4195 4196 443c83 4186->4196 4187->4122 4191 443cd6-443ce6 call 446137 4188->4191 4192 443cea 4188->4192 4189->4188 4191->4065 4204 443ce8 4191->4204 4197 443ced-443cff call 44374d call 443741 4192->4197 4195->4185 4198 443c99-443ca9 call 43a1e1 4195->4198 4200 443c85-443c8a 4196->4200 4197->4091 4209 443cb0-443cb4 4198->4209 4200->4195 4205 443c8c-443c93 4200->4205 4204->4197 4205->4195 4205->4200 4209->4185 4210 443cab-443cad 4209->4210 4210->4185 4211 443caf 4210->4211 4211->4209
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetTimeZoneInformation.KERNELBASE(?,00000000,00000000,00000000,?,00458728), ref: 00443D7C
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InformationTimeZone
                                                                                                                                                                                                                                                          • String ID: 5?D$W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                                                                                                                                          • API String ID: 565725191-123115289
                                                                                                                                                                                                                                                          • Opcode ID: d7bbcd76f15e933e988cc8ef08ce995bea7056570010276433c099b37fe2b04d
                                                                                                                                                                                                                                                          • Instruction ID: dbba34c122b406c2ac3a439b9303471cdef2012fa107d376c31bc5aa2f82062e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7bbcd76f15e933e988cc8ef08ce995bea7056570010276433c099b37fe2b04d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32C15CB19001449BFB14AF298C81BEA7BB9DF55B15F24416FE491D7342EB389F02875C
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00406160 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 257COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 4212 406160-4061b9 4286 4061ba call 49f04ec 4212->4286 4287 4061ba call 49f05ca 4212->4287 4288 4061ba call 49f057a 4212->4288 4289 4061ba call 49f0518 4212->4289 4290 4061ba call 49f0528 4212->4290 4291 4061ba call 49f0555 4212->4291 4292 4061ba call 49f04e3 4212->4292 4293 4061ba call 49f04c1 4212->4293 4213 4061bf-406238 LookupAccountNameA call 419090 call 405d40 4219 40623a 4213->4219 4220 40623c-40625b call 4021c0 4213->4220 4219->4220 4223 40628c-406292 4220->4223 4224 40625d-40626c 4220->4224 4227 406295-40629a 4223->4227 4225 406282-406289 call 41ecf8 4224->4225 4226 40626e-40627c 4224->4226 4225->4223 4226->4225 4228 4064b7 call 4382fa 4226->4228 4227->4227 4230 40629c-4062c4 call 419090 call 405d40 4227->4230 4235 4064bc call 4382fa 4228->4235 4240 4062c6 4230->4240 4241 4062c8-4062e9 call 4021c0 4230->4241 4239 4064c1-4064c6 call 4382fa 4235->4239 4240->4241 4246 40631a-40632e 4241->4246 4247 4062eb-4062fa 4241->4247 4253 406334-40633a 4246->4253 4254 4063d8-4063fc 4246->4254 4248 406310-406317 call 41ecf8 4247->4248 4249 4062fc-40630a 4247->4249 4248->4246 4249->4235 4249->4248 4255 406340-40636d call 419090 call 405d40 4253->4255 4256 406400-406405 4254->4256 4269 406371-406398 call 4021c0 4255->4269 4270 40636f 4255->4270 4256->4256 4257 406407-40646c call 419750 * 2 4256->4257 4266 406499-4064b6 call 41e681 4257->4266 4267 40646e-40647d 4257->4267 4271 40648f-406496 call 41ecf8 4267->4271 4272 40647f-40648d 4267->4272 4279 4063c9-4063cc 4269->4279 4280 40639a-4063a9 4269->4280 4270->4269 4271->4266 4272->4239 4272->4271 4279->4255 4283 4063d2 4279->4283 4281 4063ab-4063b9 4280->4281 4282 4063bf-4063c6 call 41ecf8 4280->4282 4281->4228 4281->4282 4282->4279 4283->4254 4286->4213 4287->4213 4288->4213 4289->4213 4290->4213 4291->4213 4292->4213 4293->4213
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LookupAccountNameA.ADVAPI32(00000000,?,?,000000FF,?,?,?), ref: 00406200
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AccountLookupName
                                                                                                                                                                                                                                                          • String ID: CLTk8G==$ELNk8G==$NrSd6xKm
                                                                                                                                                                                                                                                          • API String ID: 1484870144-3685683383
                                                                                                                                                                                                                                                          • Opcode ID: 58131440e85afbd1d306866e6ff0af3278241d40fdaf54819ef89ce28633a9f4
                                                                                                                                                                                                                                                          • Instruction ID: 19de9b17e51712abfb791d16094601f8f8e39ae2f3702b719929df0f8bc37481
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58131440e85afbd1d306866e6ff0af3278241d40fdaf54819ef89ce28633a9f4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4091D6B19001189BDB28DB24CC85BDEB779EB45304F5045FEE519A7282DB389EC4CFA9
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0040B3FC Relevance: 32.5, APIs: 15, Strings: 3, Instructions: 971networkfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 498 40b3fc-40b400 499 40b5b0 498->499 500 40b406-40b496 call 41ed06 call 435780 CreateFileA InternetOpenUrlA InternetReadFile 498->500 501 40b5b2-40b5fa 499->501 518 40b4c7-40b4fa InternetCloseHandle * 2 call 419090 call 438b1f 500->518 519 40b498-40b49e 500->519 505 40b624-40b641 call 41e681 501->505 506 40b5fc-40b608 501->506 508 40b61a-40b621 call 41ecf8 506->508 509 40b60a-40b618 506->509 508->505 509->508 512 40b64c-40b651 call 4382fa 509->512 527 40b4ff-40b511 518->527 521 40b4a0-40b4a5 519->521 521->518 522 40b4a7-40b4c5 WriteFile InternetReadFile 521->522 522->518 522->521 528 40b513-40b51f 527->528 529 40b53f-40b541 527->529 530 40b521-40b52f 528->530 531 40b535-40b53c call 41ecf8 528->531 532 40b543-40b566 call 4380d4 call 4068f0 529->532 533 40b5a9-40b5ae 529->533 530->531 534 40b642 call 4382fa 530->534 531->529 544 40b568 532->544 545 40b56a-40b577 532->545 533->499 533->501 540 40b647 534->540 540->512 542 40b647 call 4382fa 540->542 542->512 544->545 547 40b5a5-40b5a7 545->547 548 40b579-40b585 545->548 547->501 549 40b587-40b595 548->549 550 40b59b-40b5a2 call 41ecf8 548->550 549->540 549->550 550->547
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateFileA.KERNELBASE(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040B447
                                                                                                                                                                                                                                                          • InternetOpenUrlA.WININET(00000000,?,00000000,00000000,00000000,00000000), ref: 0040B47D
                                                                                                                                                                                                                                                          • InternetReadFile.WININET(00000000,00000000,?,?), ref: 0040B48E
                                                                                                                                                                                                                                                          • WriteFile.KERNELBASE(?,00000000,?,?,00000000), ref: 0040B4B2
                                                                                                                                                                                                                                                          • InternetReadFile.WININET(00000000,00000000,?,?), ref: 0040B4BD
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 0040B4D9
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0040B4DC
                                                                                                                                                                                                                                                          • InternetOpenW.WININET(0045AD34,00000000,00000000,00000000,00000000,93673986), ref: 0040B6ED
                                                                                                                                                                                                                                                          • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 0040B711
                                                                                                                                                                                                                                                          • HttpOpenRequestA.WININET(?,00000000), ref: 0040B75B
                                                                                                                                                                                                                                                          • HttpSendRequestA.WININET(?,00000000), ref: 0040B81B
                                                                                                                                                                                                                                                          • InternetReadFile.WININET(?,?,000003FF,?), ref: 0040B8CD
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 0040B9A7
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 0040B9AF
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 0040B9B7
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Internet$CloseFileHandle$OpenRead$HttpRequest$ConnectCreateSendWrite
                                                                                                                                                                                                                                                          • String ID: 4AJS7teoFA==$4AJS7xCZFC =$Nx1LPq==
                                                                                                                                                                                                                                                          • API String ID: 1482551946-3681961738
                                                                                                                                                                                                                                                          • Opcode ID: 01194d6ecd508a3221d37783915119b579fea11058fa8941637c699ad74a7876
                                                                                                                                                                                                                                                          • Instruction ID: 26fe7a70ca56172546039e8862598de6fc26eaf252b847cb6920679a913ff1df
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01194d6ecd508a3221d37783915119b579fea11058fa8941637c699ad74a7876
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36720371A002089BEB18DF68CD85BDEBB75EF45304F50426EF905A72D2D7399A80CB9D
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004132FE Relevance: 28.4, APIs: 5, Strings: 11, Instructions: 354networkfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 1413 4132fe-413300 1414 413302-413308 1413->1414 1415 413339-41333d 1413->1415 1414->1415 1416 41330a-413319 1414->1416 1417 413343-41337c call 419090 call 405d40 call 4199b0 1415->1417 1418 413467-41346f 1415->1418 1419 41331b-413329 1416->1419 1420 41332f-413336 call 41ecf8 1416->1420 1438 4133e6-4133ec 1417->1438 1439 41337e-413384 1417->1439 1421 413470-4134ec call 419090 call 41ed06 call 435780 InternetReadFile 1418->1421 1419->1420 1423 41374f 1419->1423 1420->1415 1460 413502-413507 InternetCloseHandle * 2 1421->1460 1461 4134ee-4134f8 InternetCloseHandle * 2 call 406c20 1421->1461 1430 413754 1423->1430 1435 413759 1430->1435 1435->1435 1443 41341a-413436 1438->1443 1444 4133ee-4133fa 1438->1444 1441 4133b2-4133e3 1439->1441 1442 413386-413392 1439->1442 1441->1438 1445 413394-4133a2 1442->1445 1446 4133a8-4133af call 41ecf8 1442->1446 1443->1418 1450 413438-413447 1443->1450 1447 413410-413417 call 41ecf8 1444->1447 1448 4133fc-41340a 1444->1448 1445->1430 1445->1446 1446->1441 1447->1443 1448->1430 1448->1447 1453 413449-413457 1450->1453 1454 41345d-413464 call 41ecf8 1450->1454 1453->1430 1453->1454 1454->1418 1463 413509-413513 1460->1463 1464 4134fd-413500 1461->1464 1465 413541-413545 1463->1465 1466 413515-413521 1463->1466 1464->1463 1469 413547-413556 1465->1469 1470 4135bd-413618 call 419090 call 405d40 call 419090 * 3 1465->1470 1467 413523-413531 1466->1467 1468 413537-41353e call 41ecf8 1466->1468 1467->1423 1467->1468 1468->1465 1469->1421 1477 41355c-4135bb call 419090 call 405d40 call 419090 * 3 1469->1477 1492 41361c-41362e call 419090 call 40dd40 1470->1492 1477->1492 1499 413633-41363c 1492->1499 1500 41366a-413682 1499->1500 1501 41363e-41364a 1499->1501 1504 4136b0-4136c8 1500->1504 1505 413684-413690 1500->1505 1502 413660-413667 call 41ecf8 1501->1502 1503 41364c-41365a 1501->1503 1502->1500 1503->1435 1503->1502 1506 4136f2-41370a 1504->1506 1507 4136ca-4136d6 1504->1507 1509 413692-4136a0 1505->1509 1510 4136a6-4136ad call 41ecf8 1505->1510 1514 413734-41374e call 41e681 1506->1514 1515 41370c-413718 1506->1515 1512 4136e8-4136ef call 41ecf8 1507->1512 1513 4136d8-4136e6 1507->1513 1509->1435 1509->1510 1510->1504 1512->1506 1513->1435 1513->1512 1520 41372a-413731 call 41ecf8 1515->1520 1521 41371a-413728 1515->1521 1520->1514 1521->1435 1521->1520
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • InternetReadFile.WININET(00000000,?,?,?), ref: 004134E2
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 004134EE
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 004134F3
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00413502
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 00413507
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Internet$CloseHandle$FileRead
                                                                                                                                                                                                                                                          • String ID: "$246122658369$4AJS7teoFA==$5120$Bp==$Drkj$RVTc$SMs=$SQ d$Sww=$Szpk
                                                                                                                                                                                                                                                          • API String ID: 1486478399-776190263
                                                                                                                                                                                                                                                          • Opcode ID: 8cfef98f33b9168dfe4690b69d8ae074c0e742c2a77e5d7cc3585724447791e6
                                                                                                                                                                                                                                                          • Instruction ID: 3a72a55300571274c566d1637d1fb951c96dc5f715cd3562d8e3da96b6fa5db0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8cfef98f33b9168dfe4690b69d8ae074c0e742c2a77e5d7cc3585724447791e6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74C114B1A00248ABEF18EF68CD467DD7F719F46304F60814EF815A72C2DB399AC48799
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0040DE9B Relevance: 20.6, APIs: 3, Strings: 8, Instructions: 1308COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000000), ref: 0040E364
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                                                          • String ID: 111$246122658369$6fxmTwZm$IzE+$Qt==$RQ$Sww=$SF
                                                                                                                                                                                                                                                          • API String ID: 3188754299-2473151172
                                                                                                                                                                                                                                                          • Opcode ID: d603a60bffee24366b1f06f34d92cecc6f774ed9937ca19a6ef3273ce86f3389
                                                                                                                                                                                                                                                          • Instruction ID: 7300dd63f626a4af72f14f0e147fff97a26889a9d4b8d93e9becafaf4cbe3228
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d603a60bffee24366b1f06f34d92cecc6f774ed9937ca19a6ef3273ce86f3389
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E1A24A71A001449BEF18DB39CD8579DBB72AF86308F10856EF815A73C6D73D8AC48B99
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00406C20 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 132memoryprocessthreadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 2586 406c20-406c5b 2588 406c61-406c6c 2586->2588 2589 406e09-406e24 VirtualFree call 41e681 2586->2589 2588->2589 2590 406c72-406cb3 call 435780 CreateProcessA 2588->2590 2593 406e29-406e2c 2589->2593 2590->2589 2595 406cb9-406ce1 VirtualAlloc Wow64GetThreadContext 2590->2595 2595->2589 2596 406ce7-406d47 ReadProcessMemory VirtualAllocEx 2595->2596 2596->2589 2598 406d4d-406d6c 2596->2598 2600 406dc3-406e08 2598->2600 2601 406d6e-406d72 call 406a70 2598->2601 2600->2589 2601->2600
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateProcessA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 00406CAB
                                                                                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 00406CC4
                                                                                                                                                                                                                                                          • Wow64GetThreadContext.KERNEL32(?,00000000), ref: 00406CD9
                                                                                                                                                                                                                                                          • ReadProcessMemory.KERNELBASE(?, ,?,00000004,00000000), ref: 00406CF9
                                                                                                                                                                                                                                                          • VirtualAllocEx.KERNELBASE(?,?,?,00003000,00000040), ref: 00406D3B
                                                                                                                                                                                                                                                          • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00406E11
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Virtual$AllocProcess$ContextCreateFreeMemoryReadThreadWow64
                                                                                                                                                                                                                                                          • String ID: $VUUU$invalid stoi argument
                                                                                                                                                                                                                                                          • API String ID: 752144545-3954507777
                                                                                                                                                                                                                                                          • Opcode ID: 1dc533b4f15018f7123a36f6dec66b4cdb039f199f99a863c03f9f2da76d3012
                                                                                                                                                                                                                                                          • Instruction ID: 03058211e3a2b8f24055e29f2cd2c534de65d459894f14437fc849891aef694f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1dc533b4f15018f7123a36f6dec66b4cdb039f199f99a863c03f9f2da76d3012
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A24184B0284301BFE620EF24CC02F9B77E8AF85B08F501529B654A61D1E7B4B954CB9A
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0040E0FD Relevance: 11.3, APIs: 3, Strings: 3, Instructions: 791COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000000), ref: 0040E364
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                                                          • String ID: 6fxmTwZm$Qt==$RQ
                                                                                                                                                                                                                                                          • API String ID: 3188754299-3836299698
                                                                                                                                                                                                                                                          • Opcode ID: bffa53bb42972cefc31046d74357a1415cf14d0884b0eb06accc173b6a37bf37
                                                                                                                                                                                                                                                          • Instruction ID: 4504a243531a69179d791cabb07919988cb67f6d599b1b1f62790129155eb41e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bffa53bb42972cefc31046d74357a1415cf14d0884b0eb06accc173b6a37bf37
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40524B71A001449BEF0CDB39CD8579DBB72AF86308F10866EE415AB3D6D73D8AD08B59
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004430DC Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 279COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 3848 4430dc-44310c call 442e2a 3851 443127-443133 call 43d46b 3848->3851 3852 44310e-443119 call 438b90 3848->3852 3858 443135-44314a call 438b90 call 438ba3 3851->3858 3859 44314c-443195 call 442d95 3851->3859 3857 44311b-443122 call 438ba3 3852->3857 3869 443401-443405 3857->3869 3858->3857 3867 443197-4431a0 3859->3867 3868 443202-44320b GetFileType 3859->3868 3873 4431d7-4431fd call 438b6d 3867->3873 3874 4431a2-4431a6 3867->3874 3870 443254-443257 3868->3870 3871 44320d-44323e call 438b6d 3868->3871 3876 443260-443266 3870->3876 3877 443259-44325e 3870->3877 3871->3857 3896 443244-44324f call 438ba3 3871->3896 3873->3857 3874->3873 3875 4431a8-4431d5 call 442d95 3874->3875 3875->3868 3875->3873 3880 44326a-4432b8 call 43d3b6 3876->3880 3882 443268 3876->3882 3877->3880 3890 4432d7-4432ff call 442b42 3880->3890 3891 4432ba-4432c6 call 442fa4 3880->3891 3882->3880 3900 443304-443345 3890->3900 3901 443301-443302 3890->3901 3891->3890 3898 4432c8 3891->3898 3896->3857 3902 4432ca-4432d2 call 43c568 3898->3902 3904 443366-443374 3900->3904 3905 443347-44334b 3900->3905 3901->3902 3902->3869 3906 4433ff 3904->3906 3907 44337a-44337e 3904->3907 3905->3904 3909 44334d-443361 3905->3909 3906->3869 3907->3906 3910 443380-4433b3 call 442d95 3907->3910 3909->3904 3915 4433b5-4433e1 call 438b6d call 43d57e 3910->3915 3916 4433e7-4433fb 3910->3916 3915->3916 3916->3906
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00442D95: CreateFileW.KERNELBASE(00000000,00000000,?,00443185,?,?,00000000,?,00443185,00000000,0000000C), ref: 00442DB2
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 004431F7
                                                                                                                                                                                                                                                          • GetFileType.KERNELBASE(00000000), ref: 00443203
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00443216
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 004433BC
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: __dosmaperr$File$CreateType
                                                                                                                                                                                                                                                          • String ID: H
                                                                                                                                                                                                                                                          • API String ID: 3443242726-2852464175
                                                                                                                                                                                                                                                          • Opcode ID: 59eb08d4d7c2a2e3c08b9ba2333e6eeae908f3f0dd02e64b14091bc1c1b3b80a
                                                                                                                                                                                                                                                          • Instruction ID: e2a2a13191cf52ba32b92798a130a0844fa9e94846459e6c22b38877e62b6f2c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59eb08d4d7c2a2e3c08b9ba2333e6eeae908f3f0dd02e64b14091bc1c1b3b80a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 83A16C32A141045FEF19DF78CC52BAE7BA1AB0A329F14015EF811AF391DB789D02C75A
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004078B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 392COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 3922 4078b0-407932 call 435780 3926 407938-407960 call 419090 call 405d40 3922->3926 3927 407e1a-407e37 call 41e681 3922->3927 3934 407962 3926->3934 3935 407964-407986 call 419090 call 405d40 3926->3935 3934->3935 3940 407988 3935->3940 3941 40798a-4079a3 3935->3941 3940->3941 3944 4079d4-4079ff 3941->3944 3945 4079a5-4079b4 3941->3945 3948 407a30-407a51 3944->3948 3949 407a01-407a10 3944->3949 3946 4079b6-4079c4 3945->3946 3947 4079ca-4079d1 call 41ecf8 3945->3947 3946->3947 3950 407e38 call 4382fa 3946->3950 3947->3944 3954 407a53-407a55 GetNativeSystemInfo 3948->3954 3955 407a57-407a5c 3948->3955 3952 407a12-407a20 3949->3952 3953 407a26-407a2d call 41ecf8 3949->3953 3963 407e3d-407e42 call 4382fa 3950->3963 3952->3950 3952->3953 3953->3948 3956 407a5d-407a66 3954->3956 3955->3956 3961 407a84-407a87 3956->3961 3962 407a68-407a6f 3956->3962 3967 407dbb-407dbe 3961->3967 3968 407a8d-407a96 3961->3968 3965 407e15 3962->3965 3966 407a75-407a7f 3962->3966 3965->3927 3970 407e10 3966->3970 3967->3965 3973 407dc0-407dc9 3967->3973 3971 407a98-407aa4 3968->3971 3972 407aa9-407aac 3968->3972 3970->3965 3971->3970 3975 407ab2-407ab9 3972->3975 3976 407d98-407d9a 3972->3976 3977 407df0-407df3 3973->3977 3978 407dcb-407dcf 3973->3978 3981 407b94-407d81 call 419090 call 405d40 call 419090 call 405d40 call 405e90 call 419090 call 405d40 call 405860 call 419090 call 405d40 call 419090 call 405d40 call 405e90 call 419090 call 405d40 call 405860 call 419090 call 405d40 call 419090 call 405d40 call 405e90 call 419090 call 405d40 call 405860 3975->3981 3982 407abf-407b16 call 419090 call 405d40 call 419090 call 405d40 call 405e90 3975->3982 3979 407da8-407dab 3976->3979 3980 407d9c-407da6 3976->3980 3985 407e01-407e0d 3977->3985 3986 407df5-407dff 3977->3986 3983 407dd1-407dd6 3978->3983 3984 407de4-407dee 3978->3984 3979->3965 3988 407dad-407db9 3979->3988 3980->3970 4020 407d87-407d90 3981->4020 4007 407b1b-407b22 3982->4007 3983->3984 3990 407dd8-407de2 3983->3990 3984->3965 3985->3970 3986->3965 3988->3970 3990->3965 4009 407b24 4007->4009 4010 407b26-407b46 call 43a1e1 4007->4010 4009->4010 4016 407b48-407b57 4010->4016 4017 407b7d-407b7f 4010->4017 4022 407b59-407b67 4016->4022 4023 407b6d-407b7a call 41ecf8 4016->4023 4019 407b85-407b8f 4017->4019 4017->4020 4019->4020 4020->3967 4025 407d92 4020->4025 4022->3963 4022->4023 4023->4017 4025->3976
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407A53
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InfoNativeSystem
                                                                                                                                                                                                                                                          • String ID: FcspH7==$FcspIG==$FcsqG7==
                                                                                                                                                                                                                                                          • API String ID: 1721193555-2365427954
                                                                                                                                                                                                                                                          • Opcode ID: 36a4aca01291a4c6bb52d308801ce463d8b59b8125d7d1bc97d974a4949e0709
                                                                                                                                                                                                                                                          • Instruction ID: 96d5e00ee0106a214098967905e363f92b223b72fe1150809e2f66d2b10fc863
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 36a4aca01291a4c6bb52d308801ce463d8b59b8125d7d1bc97d974a4949e0709
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6D1F771E0020497DF14BB78CC1A39E7771AB86314F9442AEE4056B3C2E7795E948BCB
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00443D12 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 172timeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 4294 443d12-443d3a call 443753 call 4437b1 4299 443d40-443d4c call 443759 4294->4299 4300 443e62-443ebe call 438317 call 44790e 4294->4300 4299->4300 4306 443d52-443d5e call 443785 4299->4306 4312 443ec0-443ec6 4300->4312 4313 443ec8-443ecb 4300->4313 4306->4300 4311 443d64-443d85 call 43c415 GetTimeZoneInformation 4306->4311 4321 443e40-443e61 call 44374d call 443741 call 443747 4311->4321 4322 443d8b-443dac 4311->4322 4316 443f0e-443f20 4312->4316 4315 443ecd-443edd call 43c66b 4313->4315 4313->4316 4329 443ee7-443f00 call 44790e 4315->4329 4330 443edf 4315->4330 4319 443f30 4316->4319 4320 443f22-443f25 4316->4320 4325 443f35-443f4a call 43c415 call 41e681 4319->4325 4326 443f30 call 443d12 4319->4326 4320->4319 4324 443f27-443f2e call 443b37 4320->4324 4327 443db6-443dbd 4322->4327 4328 443dae-443db3 4322->4328 4324->4325 4326->4325 4335 443dcf-443dd1 4327->4335 4336 443dbf-443dc6 4327->4336 4328->4327 4350 443f05-443f0b call 43c415 4329->4350 4351 443f02-443f03 4329->4351 4334 443ee0-443ee5 call 43c415 4330->4334 4353 443f0d 4334->4353 4343 443dd3-443dfc call 440537 call 43ff46 4335->4343 4336->4335 4342 443dc8-443dcd 4336->4342 4342->4343 4361 443dfe-443e01 4343->4361 4362 443e0a-443e0c 4343->4362 4350->4353 4351->4334 4353->4316 4361->4362 4363 443e03-443e08 4361->4363 4364 443e0e-443e2c call 43ff46 4362->4364 4363->4364 4367 443e2e-443e31 4364->4367 4368 443e3b-443e3e 4364->4368 4367->4368 4369 443e33-443e39 4367->4369 4368->4321 4369->4321
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetTimeZoneInformation.KERNELBASE(?,00000000,00000000,00000000,?,00458728), ref: 00443D7C
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InformationTimeZone
                                                                                                                                                                                                                                                          • String ID: 5?D$W. Europe Standard Time$W. Europe Summer Time
                                                                                                                                                                                                                                                          • API String ID: 565725191-123115289
                                                                                                                                                                                                                                                          • Opcode ID: 3206ebc0e72ef02847ce491153f21b792926e1c6e3949b99680f414156d1ddd6
                                                                                                                                                                                                                                                          • Instruction ID: e009fe6b5195a2f0e7bd6efa29f79bc94c167f17d54cec8015a686408c8b1f88
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3206ebc0e72ef02847ce491153f21b792926e1c6e3949b99680f414156d1ddd6
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A516BB1C00215ABEB10EF658C819AE77BCEF45B15F20427FE461A3291EF789F418B59
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00407110 Relevance: 4.7, APIs: 3, Instructions: 158sleepthreadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 4370 407110-407161 Sleep 4371 4071e1-407257 call 419750 * 3 CreateThread Sleep 4370->4371 4372 407163-407177 call 41e7a6 4370->4372 4385 407285-40729d 4371->4385 4386 407259-407265 4371->4386 4372->4371 4378 407179-4071de call 41ece3 call 41e75c 4372->4378 4378->4371 4390 4072c7-4072df 4385->4390 4391 40729f-4072ab 4385->4391 4388 407267-407275 4386->4388 4389 40727b-407282 call 41ecf8 4386->4389 4388->4389 4394 40731b-407320 call 4382fa 4388->4394 4389->4385 4392 4072e1-4072ed 4390->4392 4393 407309-40731a 4390->4393 4396 4072bd-4072c4 call 41ecf8 4391->4396 4397 4072ad-4072bb 4391->4397 4398 4072ff-407306 call 41ecf8 4392->4398 4399 4072ef-4072fd 4392->4399 4396->4390 4397->4394 4397->4396 4398->4393 4399->4394 4399->4398
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(00000064,93673986,?,00000000,0044AFE8,000000FF), ref: 0040714C
                                                                                                                                                                                                                                                          • CreateThread.KERNELBASE(00000000,00000000,00406FB0,00468530,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0040723E
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000001F4,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407249
                                                                                                                                                                                                                                                            • Part of subcall function 0041E75C: RtlWakeAllConditionVariable.NTDLL ref: 0041E810
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Sleep$ConditionCreateThreadVariableWake
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 79123409-0
                                                                                                                                                                                                                                                          • Opcode ID: 1c7ea6e9ce80404d4581bcd9b3b7e240bce312653264ac4526fdd9b14f16450a
                                                                                                                                                                                                                                                          • Instruction ID: cdf2af8fabe6abef923c30594fd8e6dd0d63da2496c2f49f8adf0b2f19e7ecc2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c7ea6e9ce80404d4581bcd9b3b7e240bce312653264ac4526fdd9b14f16450a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED511571610244ABEB14CF28DD85B8D3BA1EB45704F50462EFC12973D1EBBDA980CB9E
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00438561 Relevance: 4.6, APIs: 3, Instructions: 145COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 4407 438561-438596 GetFileType 4408 43864e-438651 4407->4408 4409 43859c-4385a7 4407->4409 4412 438653-438656 4408->4412 4413 43867a-4386a2 4408->4413 4410 4385c9-4385e5 call 435780 GetFileInformationByHandle 4409->4410 4411 4385a9-4385ba call 4388d7 4409->4411 4422 43866b-438678 call 438b6d 4410->4422 4424 4385eb-43862d call 438829 call 4386d1 * 3 4410->4424 4427 4385c0-4385c7 4411->4427 4428 438667-438669 4411->4428 4412->4413 4418 438658-43865a 4412->4418 4414 4386a4-4386b7 4413->4414 4415 4386bf-4386c1 4413->4415 4414->4415 4434 4386b9-4386bc 4414->4434 4420 4386c2-4386d0 call 41e681 4415->4420 4418->4422 4423 43865c-438661 call 438ba3 4418->4423 4422->4428 4423->4428 4443 438632-43864a call 4387f6 4424->4443 4427->4410 4428->4420 4434->4415 4443->4415 4446 43864c 4443->4446 4446->4428
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileType.KERNELBASE(?,?,00000000,00000000), ref: 00438583
                                                                                                                                                                                                                                                          • GetFileInformationByHandle.KERNELBASE(?,?), ref: 004385DD
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00438672
                                                                                                                                                                                                                                                            • Part of subcall function 004388D7: __dosmaperr.LIBCMT ref: 0043890C
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: File__dosmaperr$HandleInformationType
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2531987475-0
                                                                                                                                                                                                                                                          • Opcode ID: c98ff3dace4c1f2f130799cc342ee079a3aa2afc238435003a3daeb81243b376
                                                                                                                                                                                                                                                          • Instruction ID: c585fbfc400218a6cf5cb38cd33031780b95b48a1d5685603569cf01c74a7eb7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c98ff3dace4c1f2f130799cc342ee079a3aa2afc238435003a3daeb81243b376
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20413C75900744AFDB24AFA6DC469AFFBF9EF88304B10552EF856D3610DB34A8048B65
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00405E90 Relevance: 4.6, APIs: 3, Instructions: 134registryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 4447 405e90-405f15 call 435780 RegOpenKeyExA 4450 405f41-405f64 RegCloseKey 4447->4450 4451 405f17-405f40 RegQueryValueExA 4447->4451 4452 405f67-405f6c 4450->4452 4451->4450 4452->4452 4453 405f6e-405f85 call 419750 4452->4453 4456 405f87-405f93 4453->4456 4457 405faf-405fc7 4453->4457 4458 405fa5-405fac call 41ecf8 4456->4458 4459 405f95-405fa3 4456->4459 4460 405ff1-40600c call 41e681 4457->4460 4461 405fc9-405fd5 4457->4461 4458->4457 4459->4458 4463 40600d-406012 call 4382fa 4459->4463 4465 405fe7-405fee call 41ecf8 4461->4465 4466 405fd7-405fe5 4461->4466 4465->4460 4466->4463 4466->4465
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000001,?), ref: 00405F0D
                                                                                                                                                                                                                                                          • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00405F3B
                                                                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?), ref: 00405F47
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3677997916-0
                                                                                                                                                                                                                                                          • Opcode ID: 532a9213ffa3f20d6b00385a9e3b55a991bcb6ccd470fe90692b66ec3cf4c4f1
                                                                                                                                                                                                                                                          • Instruction ID: aeb29a3e79fec863dc901591d9717d1b79d2749ce5fba70812ecb69a2270231d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 532a9213ffa3f20d6b00385a9e3b55a991bcb6ccd470fe90692b66ec3cf4c4f1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5241D4B15102189BEB24DF24CC41BEE77B9EB45308F10816EF915A72C1D7799AC4CF98
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00409675 Relevance: 4.6, APIs: 3, Instructions: 131sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 4473 409675-409695 GetFileAttributesA 4476 4096c3-4096df 4473->4476 4477 409697-4096a3 4473->4477 4480 4096e1-4096ed 4476->4480 4481 40970d-40972c 4476->4481 4478 4096a5-4096b3 4477->4478 4479 4096b9-4096c0 call 41ecf8 4477->4479 4478->4479 4484 40a3ec 4478->4484 4479->4476 4486 409703-40970a call 41ecf8 4480->4486 4487 4096ef-4096fd 4480->4487 4482 40975a-40a3e6 call 419750 4481->4482 4483 40972e-40973a 4481->4483 4488 409750-409757 call 41ecf8 4483->4488 4489 40973c-40974a 4483->4489 4491 40a423-40a458 Sleep CreateMutexA 4484->4491 4492 40a3ec call 4382fa 4484->4492 4486->4481 4487->4484 4487->4486 4488->4482 4489->4484 4489->4488 4501 40a45e-40a464 4491->4501 4492->4491 4503 40a466 4501->4503 4504 40a467-40a46f call 437cb9 4501->4504
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000000), ref: 00409678
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040A435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,004651D8), ref: 0040A453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesCreateFileMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 396266464-0
                                                                                                                                                                                                                                                          • Opcode ID: c6beaa1f7c69fd2e341fe1fddf3ccd9629d95224dcdf41a8d5b01f229da6cce0
                                                                                                                                                                                                                                                          • Instruction ID: 2ba9b7992b55ceadf578c8698d2623948340d6b486fe5383bdf8d8bcc0539176
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6beaa1f7c69fd2e341fe1fddf3ccd9629d95224dcdf41a8d5b01f229da6cce0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B313C716102009BEB08EB7CCD897AEBB66DB86314F20862EE415A73D2D77D5D808799
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004097AA Relevance: 4.6, APIs: 3, Instructions: 130sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 4507 4097aa-4097ca GetFileAttributesA 4510 4097f8-409814 4507->4510 4511 4097cc-4097d8 4507->4511 4514 409842-409861 4510->4514 4515 409816-409822 4510->4515 4512 4097da-4097e8 4511->4512 4513 4097ee-4097f5 call 41ecf8 4511->4513 4512->4513 4518 40a3f1 4512->4518 4513->4510 4516 409863-40986f 4514->4516 4517 40988f-40a3e6 call 419750 4514->4517 4520 409824-409832 4515->4520 4521 409838-40983f call 41ecf8 4515->4521 4522 409871-40987f 4516->4522 4523 409885-40988c call 41ecf8 4516->4523 4525 40a423-40a458 Sleep CreateMutexA 4518->4525 4526 40a3f1 call 4382fa 4518->4526 4520->4518 4520->4521 4521->4514 4522->4518 4522->4523 4523->4517 4535 40a45e-40a464 4525->4535 4526->4525 4537 40a466 4535->4537 4538 40a467-40a46f call 437cb9 4535->4538
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000000), ref: 004097AD
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040A435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,004651D8), ref: 0040A453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesCreateFileMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 396266464-0
                                                                                                                                                                                                                                                          • Opcode ID: e405deb2f5a72f4aa69ebf284d77788f3b795b2cb6b9b1b7b2e77bd2a6bbb897
                                                                                                                                                                                                                                                          • Instruction ID: 302fb4e65eafd2e8b3c607c1a015d82cc3a2cf093ce2e7e3a9a93fc5285c420f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e405deb2f5a72f4aa69ebf284d77788f3b795b2cb6b9b1b7b2e77bd2a6bbb897
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D312B726202009BEB08DB7CCD8979DB762DF86314F24822EE815B73D6D77D5D808759
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00409A14 Relevance: 4.6, APIs: 3, Instructions: 128sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000000), ref: 00409A17
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040A435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,004651D8), ref: 0040A453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesCreateFileMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 396266464-0
                                                                                                                                                                                                                                                          • Opcode ID: 7b9245e7833b2cd97ccf76e8fe889d5b0e99ddb6a3acf1af0942dfe2a81293f1
                                                                                                                                                                                                                                                          • Instruction ID: 134c5e532ffe8ebe06902b5dfa116d278c6d64562c78a0f79979671455dbf4c7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7b9245e7833b2cd97ccf76e8fe889d5b0e99ddb6a3acf1af0942dfe2a81293f1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 003158717142409BEB08DB7CCD887ADB762EB86314F20822EE824A73D2D77D5D808B59
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00409B49 Relevance: 4.6, APIs: 3, Instructions: 127sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000000), ref: 00409B4C
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040A435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,004651D8), ref: 0040A453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesCreateFileMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 396266464-0
                                                                                                                                                                                                                                                          • Opcode ID: 8ff6dd6095905fe43ece881fc1837ae336cbd1900ab62412731d4d61482fa726
                                                                                                                                                                                                                                                          • Instruction ID: 01efd05580d05042150f12029adc9076fe752ecbbcaf7a610928fce50a3a9a46
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ff6dd6095905fe43ece881fc1837ae336cbd1900ab62412731d4d61482fa726
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D314871A042048BEB18DB7CDD8979DB7B2AB86314F20822EE424A73D2D77D69808759
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00409C7E Relevance: 4.6, APIs: 3, Instructions: 126sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000000), ref: 00409C81
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040A435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,004651D8), ref: 0040A453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesCreateFileMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 396266464-0
                                                                                                                                                                                                                                                          • Opcode ID: 122a51b050aaa2959824432f15d348c6cfc7a46fe22780cd639f8e53b3be2a7b
                                                                                                                                                                                                                                                          • Instruction ID: 2c8d4e547f0699a5f627bb74cca6276d1e4e4527b25b3904c2bedda8dd98a0dc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 122a51b050aaa2959824432f15d348c6cfc7a46fe22780cd639f8e53b3be2a7b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F314B71A142009BFB08DB7CCD8979DB762DF86314F20822EE424A73D2E77D5980875A
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00409DB3 Relevance: 4.6, APIs: 3, Instructions: 125sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000000), ref: 00409DB6
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040A435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,004651D8), ref: 0040A453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesCreateFileMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 396266464-0
                                                                                                                                                                                                                                                          • Opcode ID: 6454d83757b8ef358e0a5a8a161eceeec3176c39d7d0bdc7fcfd25411c762b86
                                                                                                                                                                                                                                                          • Instruction ID: ebb342275c7bc94beef35d4e89356a1576cc21d3169cf00c1344f62757ff88c0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6454d83757b8ef358e0a5a8a161eceeec3176c39d7d0bdc7fcfd25411c762b86
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10314671A002409BEB18DB6CCD8979DB762AF86314F20823EE415AB3D6D77D9D808799
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00409EE8 Relevance: 4.6, APIs: 3, Instructions: 124sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000000), ref: 00409EEB
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040A435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,004651D8), ref: 0040A453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesCreateFileMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 396266464-0
                                                                                                                                                                                                                                                          • Opcode ID: d667b7a6509b6d33bda6eef8eef36a521b5c9074688dc1f740a9b494c7bc15f4
                                                                                                                                                                                                                                                          • Instruction ID: 2cc2f599e46e9c2e9f5585b9526c388f1cd004cde4f99b0790e3a7b1ecdc86ff
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d667b7a6509b6d33bda6eef8eef36a521b5c9074688dc1f740a9b494c7bc15f4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ED3159716002019BEB18DB7CCD8979EB7629B86318F20823EF411E73D6D77D5D80875A
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0040A01D Relevance: 4.6, APIs: 3, Instructions: 123sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000000), ref: 0040A020
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040A435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,004651D8), ref: 0040A453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesCreateFileMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 396266464-0
                                                                                                                                                                                                                                                          • Opcode ID: 765b21c2536816322f6c5547efab44483d8fe0583fd3e0c750caba2e2a9b3097
                                                                                                                                                                                                                                                          • Instruction ID: 418d18c0c1a15189541ae6884d12f1726913ead9e03b276f59d2014c73b5a658
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 765b21c2536816322f6c5547efab44483d8fe0583fd3e0c750caba2e2a9b3097
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C83148716003048BEB08DF7CCD8979EB662AF86318F24823EE411B73D2D77D5994876A
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0040A152 Relevance: 4.6, APIs: 3, Instructions: 122sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000000), ref: 0040A155
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040A435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,004651D8), ref: 0040A453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesCreateFileMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 396266464-0
                                                                                                                                                                                                                                                          • Opcode ID: e70d4371a1d70a6dd3aebfbb5c81151b82a460f9d64e86744feec19b3537a35c
                                                                                                                                                                                                                                                          • Instruction ID: c535831623030d877824497014a817ddf1ac6f1e3708f5410fe9f93609889f86
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e70d4371a1d70a6dd3aebfbb5c81151b82a460f9d64e86744feec19b3537a35c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22312B716003009BEB08DB7CCD9979EB762DF86318F24823EE425AB3D2D77D5990875A
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0040A287 Relevance: 4.6, APIs: 3, Instructions: 121sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000000), ref: 0040A28A
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040A435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,004651D8), ref: 0040A453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesCreateFileMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 396266464-0
                                                                                                                                                                                                                                                          • Opcode ID: a8644d055ecfb00e2fe5657e86a7b57b74661c49d05d8253dac8c033f786ab14
                                                                                                                                                                                                                                                          • Instruction ID: 9350937bd0ab51a91e77cca9a514a1a864808542d5bae2731d879c53ac3ff410
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8644d055ecfb00e2fe5657e86a7b57b74661c49d05d8253dac8c033f786ab14
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A3158716003049BEB08DB7CCD897ADB762AFC6314F24823EE811A77D2D77D5990875A
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00418320 Relevance: 4.5, APIs: 3, Instructions: 21threadsleepCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_00018200,00000000,00000000,00000000), ref: 00418336
                                                                                                                                                                                                                                                          • CreateThread.KERNELBASE(00000000,00000000,Function_00018290,00000000,00000000,00000000), ref: 00418347
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(00007530), ref: 00418355
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateThread$Sleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 422425972-0
                                                                                                                                                                                                                                                          • Opcode ID: 9d933fc10b688117e3e177aac5c623aa3e8dd34c5535b5492eb3f31267a7f845
                                                                                                                                                                                                                                                          • Instruction ID: ace93140c8d56a7a13ba7f4260162f18fc1394d8b1f4b1e5804ce70eb70e38a6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9d933fc10b688117e3e177aac5c623aa3e8dd34c5535b5492eb3f31267a7f845
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2D0C931FD572876F53152502D03F863A15570AF52F380057B70C3F1D009D834408A9D
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004383F9 Relevance: 3.1, APIs: 2, Instructions: 89COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: ef4623af2b4be7621c088b828e4d143170a8a6416a18be4fb5644e87eef0a0ad
                                                                                                                                                                                                                                                          • Instruction ID: 9a4d66b81345771a6b39325600068bbf21656009fc2b088542c0ee9b90af4b27
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef4623af2b4be7621c088b828e4d143170a8a6416a18be4fb5644e87eef0a0ad
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F213D71901309BEEB11BB649C42B9FB3299F4533CF20531EF9242B1C1DF786E0582A9
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0040A430 Relevance: 3.0, APIs: 2, Instructions: 19sleepsynchronizationCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Sleep.KERNELBASE(000003E8), ref: 0040A435
                                                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,004651D8), ref: 0040A453
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateMutexSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1464230837-0
                                                                                                                                                                                                                                                          • Opcode ID: cf5a1b38eef367cbd4ef64bfee86b4d566393a91ba6b87a808bc7921b9cb796a
                                                                                                                                                                                                                                                          • Instruction ID: 7052ccbaf1d3359db0cdf14c0d128814b91f5ff5c87d75fc4d53b668aa170e0d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf5a1b38eef367cbd4ef64bfee86b4d566393a91ba6b87a808bc7921b9cb796a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6D0A710699300E7F120779D4C9EB6D214CC746708F252839E604590C1D9E424000A2B
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00407E50 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407FF4
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InfoNativeSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1721193555-0
                                                                                                                                                                                                                                                          • Opcode ID: 5ded6023724f1d7e1c4d8acf165197b51ac8170692016f82ad4cbbf22dacf187
                                                                                                                                                                                                                                                          • Instruction ID: 451ecb78406f86ceae3e33998083ea6c917a1a96fb3e92cea4cf23597b23681e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ded6023724f1d7e1c4d8acf165197b51ac8170692016f82ad4cbbf22dacf187
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD512671D042089BEB14EB28CD457DEB774DB46314F5042BEE804B73C1EB38AAC48B9A
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00406020 Relevance: 1.6, APIs: 1, Instructions: 111registryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RegSetValueExA.KERNELBASE(80000001,?,00000000,00000002,?,?), ref: 00406081
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Value
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3702945584-0
                                                                                                                                                                                                                                                          • Opcode ID: 56822d15fc24fef85cbbb1519ed0f1b0258d7664ae3cc5c5af08c502f5914821
                                                                                                                                                                                                                                                          • Instruction ID: c067c1c78970027c504d76a339d2ad8622a961701cfb30f3c8456445dd522333
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56822d15fc24fef85cbbb1519ed0f1b0258d7664ae3cc5c5af08c502f5914821
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B31B370210108AFEF18DF28CD85B9D7B66EB85344F90812DFD169B2D6D779D9D08B88
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004386D1 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SystemTimeToTzSpecificLocalTime.KERNELBASE(00000000,?,?,?,?,?,00438608,?,?,00000000,00000000), ref: 00438713
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Time$LocalSpecificSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2574697306-0
                                                                                                                                                                                                                                                          • Opcode ID: fa24eace061ac9d10791ee6991e6287c26e1039c5dc91332f7612f80114992c8
                                                                                                                                                                                                                                                          • Instruction ID: 75ad40681fe46a446797630d54e5567bbdeb17513b05756d1bb2a6182c8806e6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa24eace061ac9d10791ee6991e6287c26e1039c5dc91332f7612f80114992c8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7011067290024CAADB00DE95C881ADFB7BDAB4C314F60526BF515E3180EB34EA488B65
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0043C273 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: __wsopen_s
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3347428461-0
                                                                                                                                                                                                                                                          • Opcode ID: b6fdc707801c3414901084f0bb835def593165dfca7d883bdb4032b134d3f048
                                                                                                                                                                                                                                                          • Instruction ID: e51fa6413295ab1fa619453af05b18617419dd83dadbd508c8f1aaedbc7c1555
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6fdc707801c3414901084f0bb835def593165dfca7d883bdb4032b134d3f048
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9112A71A0410AAFCF05DF99E94199B7BF8EF48304F1440AAF805EB351D674EE15CB69
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0043C66B Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,93673986,?,?,0041EA91,93673986,?,0041911B,?,?,?,?,?,?,00406FE5,?), ref: 0043C69E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                                          • Opcode ID: 7bdad43af0db9c0ce68aeb57e8dca6ff01e3c92a7de1d447aa6aeb5655d0b3e3
                                                                                                                                                                                                                                                          • Instruction ID: fb7f99d4e46738c00eac17a541707f45b8f05fef720043029179851d94b7d130
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7bdad43af0db9c0ce68aeb57e8dca6ff01e3c92a7de1d447aa6aeb5655d0b3e3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AAE09B755143265BE62126665C83B6B7648DF4E3B0F253127FC04B6280DF6CDC1147EE
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00442D95 Relevance: 1.5, APIs: 1, Instructions: 16fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateFileW.KERNELBASE(00000000,00000000,?,00443185,?,?,00000000,?,00443185,00000000,0000000C), ref: 00442DB2
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                                                                          • Opcode ID: f6fa53751e3b6019c1baf86457a5cb3ce1fd43841008b1121a513a715ad90be4
                                                                                                                                                                                                                                                          • Instruction ID: 15746fd3876bc0553c47d6e9c898e3a4f15c7c53cc222d496769fb642c90fcff
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6fa53751e3b6019c1baf86457a5cb3ce1fd43841008b1121a513a715ad90be4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EAD0923204010DBBDF129E84DC02EEA3BAAFB88718F014110BE5866020C772E871EB94
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00418200 Relevance: 1.3, APIs: 1, Instructions: 40sleepCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                                                                                                                                          • Opcode ID: 91b3937498eb475304a553aab935e06e1cd36740e9f313f5408e86ad71e7909b
                                                                                                                                                                                                                                                          • Instruction ID: beef4a2ff77a20d1a4b074a98ea1cde1c0451cbe628cfceaf5eb0a177ffd3537
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91b3937498eb475304a553aab935e06e1cd36740e9f313f5408e86ad71e7909b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08F0F971900604A7C701BB79DD0774E7B74DB46B24F94036EE910272D1EB7819044BDB
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 049F04C1 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3655603189.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_49f0000_explorha.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 86937c5b7d35fc91eeed7def8ee3f389c94defeda5746b7c25f666c7f4c8527d
                                                                                                                                                                                                                                                          • Instruction ID: fa35c32710779a369a05bd4b93093d9939ae8b25578010f2c284eb2cffe57b31
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 86937c5b7d35fc91eeed7def8ee3f389c94defeda5746b7c25f666c7f4c8527d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B21AEEB24C210BE710294822F15EFB6B6FE4D3634331C837F902D6603E6D95E492232
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 049F04E3 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3655603189.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_49f0000_explorha.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: ebe38e6208c6f7fb6b9dcbf880d766cf7eb126488ebb7ed567580350785a4896
                                                                                                                                                                                                                                                          • Instruction ID: 6e05df99db5663c393b16d3089833756a98d3c5c9c6bb7b4d5da19003c3c7398
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ebe38e6208c6f7fb6b9dcbf880d766cf7eb126488ebb7ed567580350785a4896
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D71149EB24C224BD704294822F15AFA676FD5D36303318837F902D6243E2D95E5D3232
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 049F04EC Relevance: .1, Instructions: 107COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3655603189.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_49f0000_explorha.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 92acb0f36e0195d4f542bfb92bcbd33f901ee3526372d100393dc37c6c895732
                                                                                                                                                                                                                                                          • Instruction ID: 403a90c84436514e49c012a11e167f7f1c63aa78f1183a8e81fc6076cbeb2320
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92acb0f36e0195d4f542bfb92bcbd33f901ee3526372d100393dc37c6c895732
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D117CFB24C224BE724294822F15AFA676FE5D3630331883BF402D6107E2E95E5D3232
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 049F0518 Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3655603189.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_49f0000_explorha.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 4e17fbdf97efd8aa2ca380dcd1848c4b9fa77d8a58501701580d2fbebec598ca
                                                                                                                                                                                                                                                          • Instruction ID: 0c741ad3fe7235b91216fe8b316f287dec9628412dffb122ae9065986392222e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e17fbdf97efd8aa2ca380dcd1848c4b9fa77d8a58501701580d2fbebec598ca
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 581115AB248220BE714295822F15AFAA76EE5D3634331C837F502E5502E6E95E9D2232
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 049F0528 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3655603189.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_49f0000_explorha.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 48c74da1925cf95091aab34473931b1a912a160e651affc227b503d32720f5ff
                                                                                                                                                                                                                                                          • Instruction ID: 2731028e5e7ebe4827802880db46d6d3d4f0c2e79c827e39817103e91eb8ae2c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 48c74da1925cf95091aab34473931b1a912a160e651affc227b503d32720f5ff
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 241139FB24C2107DB10294822F24EFAA76EE5D3634331C837F402E5102E6E99E4D2132
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 049F0555 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3655603189.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_49f0000_explorha.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 6979725882748733b7aaa904a596153e956b4ea95ba8482cb0ca4f3a007f37ea
                                                                                                                                                                                                                                                          • Instruction ID: 87bbae00eb38f314b24b55e18704d57d4288050504e37e5caf7d99c8784ae04a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6979725882748733b7aaa904a596153e956b4ea95ba8482cb0ca4f3a007f37ea
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7018FEB24C2147E754290822F15AFA6A6FE5D36743318837F443E6543E6E95E4D3132
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 049F05CA Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3655603189.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_49f0000_explorha.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 16399aa394e235de970117d98b2cce8618910864f2060e4bb024d9d473540e76
                                                                                                                                                                                                                                                          • Instruction ID: 59227205e9759033457e2d8ae9b271bdf5a454662e5da7ae4845994f18e68b13
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 16399aa394e235de970117d98b2cce8618910864f2060e4bb024d9d473540e76
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58018FAB28D210ADB50290922F15BF7AB6ED5D36303308837F102D9543E2D95E5D6232
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 049F057A Relevance: .1, Instructions: 69COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3655603189.00000000049F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 049F0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_49f0000_explorha.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: fea4a29a944d361bfbe96e1d8ca563c0bb5c7e461955307c747c0584be9b73c9
                                                                                                                                                                                                                                                          • Instruction ID: 2a231573eb6241c60d72e999bd0f373d44f51753be289a5126c86aa4cead2195
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fea4a29a944d361bfbe96e1d8ca563c0bb5c7e461955307c747c0584be9b73c9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B01D1FB2481107E711284826F44AF6676FE5E3A34330887BF002E6103E6E81B5E2232
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                                          Function 004224A3 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 284COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 004225A6
                                                                                                                                                                                                                                                          • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 004225F2
                                                                                                                                                                                                                                                            • Part of subcall function 00423CED: Concurrency::details::GlobalCore::Initialize.LIBCONCRT ref: 00423DE0
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 0042265E
                                                                                                                                                                                                                                                          • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 0042267A
                                                                                                                                                                                                                                                          • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 004226CE
                                                                                                                                                                                                                                                          • Concurrency::details::GlobalNode::Initialize.LIBCONCRT ref: 004226FB
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 00422751
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::$GlobalInitialize$Node::$AffinityManager::Resource$CleanupCore::FindGroupInformationRestriction::Topology
                                                                                                                                                                                                                                                          • String ID: (
                                                                                                                                                                                                                                                          • API String ID: 2943730970-3887548279
                                                                                                                                                                                                                                                          • Opcode ID: 1d1ca7e2adf03174a1dadbdb6bc34c6266a8ac537d014547ca647e3e9c8d238b
                                                                                                                                                                                                                                                          • Instruction ID: 3aed8ad53349bfa8bdd4997de240bec9343a568973a4cdf8cc50a942f7a9e581
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d1ca7e2adf03174a1dadbdb6bc34c6266a8ac537d014547ca647e3e9c8d238b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7B18071A04621EFDB18CF59EA80A7EB7B4FF44304F54416ED801AB741D7B4AE81CB99
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00422C92 Relevance: 13.7, APIs: 9, Instructions: 213memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 0042438C: Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 0042439F
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::PreProcessDynamicAllocationData.LIBCONCRT ref: 00422CA4
                                                                                                                                                                                                                                                            • Part of subcall function 0042449F: Concurrency::details::ResourceManager::HandleBorrowedCores.LIBCONCRT ref: 004244C9
                                                                                                                                                                                                                                                            • Part of subcall function 0042449F: Concurrency::details::ResourceManager::HandleSharedCores.LIBCONCRT ref: 00424538
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::IncreaseFullyLoadedSchedulerAllocations.LIBCMT ref: 00422DD6
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00422E36
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00422E42
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::DistributeExclusiveCores.LIBCONCRT ref: 00422E7D
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::AdjustDynamicAllocation.LIBCONCRT ref: 00422E9E
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::PrepareReceiversForCoreTransfer.LIBCMT ref: 00422EAA
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::DistributeIdleCores.LIBCONCRT ref: 00422EB3
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::ResetGlobalAllocationData.LIBCMT ref: 00422ECB
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::Manager::Resource$AllocationCores$Dynamic$AdjustCoreDataDistributeHandlePrepareReceiversTransfer$AllocationsBorrowedBuffersExclusiveFullyGlobalIdleIncreaseInitializeLoadedProcessResetSchedulerShared
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2508902052-0
                                                                                                                                                                                                                                                          • Opcode ID: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                                                                                                                                                                                                                                                          • Instruction ID: ec649cb0ee6c0e5c5217e186a19a3e9dae97a7500944ab25286764b03fc265af
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa9f8f36a8b7b44e1180d435f458fb72d8e9ffd861c0e8264618b64b20c70f21
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB818D71F00625AFCB18DFA9D680A6EB7B1FF48304B5546AED405AB701C7B4ED52CB88
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004302D8 Relevance: 6.1, APIs: 4, Instructions: 139COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 00430311
                                                                                                                                                                                                                                                            • Part of subcall function 0042A5BF: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0042A5E0
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00430377
                                                                                                                                                                                                                                                          • Concurrency::details::WorkItem::ResolveToken.LIBCONCRT ref: 0043038F
                                                                                                                                                                                                                                                          • Concurrency::details::WorkItem::BindTo.LIBCONCRT ref: 0043039C
                                                                                                                                                                                                                                                            • Part of subcall function 0042FE3F: Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0042FE67
                                                                                                                                                                                                                                                            • Part of subcall function 0042FE3F: Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0042FEFF
                                                                                                                                                                                                                                                            • Part of subcall function 0042FE3F: Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042FF09
                                                                                                                                                                                                                                                            • Part of subcall function 0042FE3F: Concurrency::location::_Assign.LIBCMT ref: 0042FF3D
                                                                                                                                                                                                                                                            • Part of subcall function 0042FE3F: Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042FF45
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::$Base::Context$Scheduler$EventInternalItem::ProcessorVirtualWork$ActiveAssignBindCommitConcurrency::location::_GroupPointsReclaimResolveRunnableSafeScheduleSegmentThrowTokenTraceTrigger
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2363638799-0
                                                                                                                                                                                                                                                          • Opcode ID: 6ddb734407f89aea7314ee9e57c19c647ad3e21a534a96aa30f78d370945fd9f
                                                                                                                                                                                                                                                          • Instruction ID: 2878ccb493dc030fb1b7f536a547650fc3ed60342dbba1280727d5d500726b8c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ddb734407f89aea7314ee9e57c19c647ad3e21a534a96aa30f78d370945fd9f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BD51B831A00215EBCF14DF51C8A5BAEB771AF48314F1451AAED027B392CB74AE06CB95
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0041E227 Relevance: 1.5, APIs: 1, Instructions: 9nativeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • NtFlushProcessWriteBuffers.NTDLL ref: 0041E23A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: BuffersFlushProcessWrite
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2982998374-0
                                                                                                                                                                                                                                                          • Opcode ID: 084c1665703291aa6874ae1269ff183979d7182254308d557c82e68a1cb78109
                                                                                                                                                                                                                                                          • Instruction ID: 682e57d4d2d307c9ac444028ea00d7e202a20aaf6380bccb25de016e2138b16f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 084c1665703291aa6874ae1269ff183979d7182254308d557c82e68a1cb78109
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8DB0923AA165305789152B59BD1459E7718AA45B1230A40E7E802A73248AA46D824FEF
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0041F436 Relevance: .1, Instructions: 144COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: f89511a0b1b8fce596bd408a26b45279075d2d9b8697940bd54ea8d0e609d7df
                                                                                                                                                                                                                                                          • Instruction ID: 7f0abb81fd4ac67e801c8ae81665a05b9d2a2b17987a79d7215183f0f0c3135c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f89511a0b1b8fce596bd408a26b45279075d2d9b8697940bd54ea8d0e609d7df
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C51E0B1D052159FEB18CF58D8817ABBBF1FB48304F24817AC505EB391E3B89985CB59
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004206B8 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 229COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042094B
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: std::invalid_argument::invalid_argument
                                                                                                                                                                                                                                                          • String ID: pEvents
                                                                                                                                                                                                                                                          • API String ID: 2141394445-2498624650
                                                                                                                                                                                                                                                          • Opcode ID: ca02be78a1c1d40c2d5eb1459857ffc39c51f90c3bc0aa635321579639398318
                                                                                                                                                                                                                                                          • Instruction ID: d98ecdd95c88c335169b02cd1496a6a5e1e84b9177df6cb315bed17c3b2b1904
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ca02be78a1c1d40c2d5eb1459857ffc39c51f90c3bc0aa635321579639398318
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F818F71F002299FDF10DFA5D881BEEB7F1AF45314F54441AE401A7283DB78AA86CB99
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00433D5E Relevance: 22.7, APIs: 15, Instructions: 231COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 00433D70
                                                                                                                                                                                                                                                            • Part of subcall function 00433B6E: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00433B91
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00433D91
                                                                                                                                                                                                                                                          • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 00433D9E
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 00433DEC
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::AcquireQuickCacheSlot.LIBCMT ref: 00433E73
                                                                                                                                                                                                                                                          • Concurrency::details::WorkSearchContext::QuickSearch.LIBCMT ref: 00433E86
                                                                                                                                                                                                                                                          • Concurrency::details::WorkSearchContext::SearchCacheLocal_Runnables.LIBCONCRT ref: 00433ED3
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::$Search$Work$Context::$Base::Scheduler$CachePriorityQuick$AcquireCheckItemItem::ListLocal_NextObjectPeriodicRunnablesScanSlot
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2530155754-0
                                                                                                                                                                                                                                                          • Opcode ID: 925280467736979cbc5bf4a80253c9a1663ecd74f11d340d47d23d8bc293b890
                                                                                                                                                                                                                                                          • Instruction ID: fad426fbcee99ad715e73aea2cfc9e861252a342e4e2ecd116c8f46434226bc2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 925280467736979cbc5bf4a80253c9a1663ecd74f11d340d47d23d8bc293b890
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4681B030904249ABDF169F55C941BFFBB72AF49309F04109AFC402B392C73A9E15DB69
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00433FFD Relevance: 16.7, APIs: 11, Instructions: 222COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::WorkSearchContext::PreSearch.LIBCONCRT ref: 0043400F
                                                                                                                                                                                                                                                            • Part of subcall function 00433B6E: Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00433B91
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::PeriodicScan.LIBCONCRT ref: 00434030
                                                                                                                                                                                                                                                          • Concurrency::details::WorkSearchContext::CheckPriorityList.LIBCONCRT ref: 0043403D
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::GetNextPriorityObject.LIBCMT ref: 0043408B
                                                                                                                                                                                                                                                          • Concurrency::details::WorkSearchContext::SearchCacheLocal_Unrealized.LIBCONCRT ref: 00434133
                                                                                                                                                                                                                                                          • Concurrency::details::WorkSearchContext::SearchCacheLocal_Realized.LIBCONCRT ref: 00434165
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::Search$Work$Context::$Base::CacheLocal_PriorityScheduler$CheckItemItem::ListNextObjectPeriodicRealizedScanUnrealized
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1256429809-0
                                                                                                                                                                                                                                                          • Opcode ID: b3e8b0350241ae60eedd818e787342e1cc769bbf33edafb0f20adce9fcd58395
                                                                                                                                                                                                                                                          • Instruction ID: 8230f0d793337557569465acdde07a5464cff71ea5368a8fadc08440ed5c8056
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b3e8b0350241ae60eedd818e787342e1cc769bbf33edafb0f20adce9fcd58395
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4471AD70A00248ABDF15CF94C980AFFBBB1AF89304F04509AFD116B392C739AD55DB65
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00436935 Relevance: 16.1, APIs: 5, Strings: 4, Instructions: 308COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsInExceptionSpec.LIBVCRUNTIME ref: 00436A30
                                                                                                                                                                                                                                                          • type_info::operator==.LIBVCRUNTIME ref: 00436A57
                                                                                                                                                                                                                                                          • ___TypeMatch.LIBVCRUNTIME ref: 00436B63
                                                                                                                                                                                                                                                          • IsInExceptionSpec.LIBVCRUNTIME ref: 00436C3E
                                                                                                                                                                                                                                                          • CallUnexpected.LIBVCRUNTIME ref: 00436CE0
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionSpec$CallMatchTypeUnexpectedtype_info::operator==
                                                                                                                                                                                                                                                          • String ID: csm$csm$csm$%5
                                                                                                                                                                                                                                                          • API String ID: 4162181273-2753281567
                                                                                                                                                                                                                                                          • Opcode ID: a034e151587a64e16e026538c32bfe3ded642fbe7d26de15c4278e3aabf4fa0f
                                                                                                                                                                                                                                                          • Instruction ID: 3d66056b1d1c614ed7a15dd9fd4be40838cb7232a6ee8cbe318af4ccac71915b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a034e151587a64e16e026538c32bfe3ded642fbe7d26de15c4278e3aabf4fa0f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BC18B7180020AEFCF25DF95C8819AEBBB4FF09314F16A15BE8516B302D739DA51CB99
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00423EC2 Relevance: 15.2, APIs: 10, Instructions: 223COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00423F06
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00423F6F
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00423FA3
                                                                                                                                                                                                                                                            • Part of subcall function 00421E7D: Concurrency::details::ResourceManager::AffinityRestriction::ApplyAffinityLimits.LIBCMT ref: 00421E9D
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::GetTopologyInformation.LIBCONCRT ref: 00424023
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 0042406B
                                                                                                                                                                                                                                                            • Part of subcall function 00421E52: Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCMT ref: 00421E6E
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 0042407F
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::ApplyAffinityRestrictions.LIBCONCRT ref: 00424090
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::CleanupTopologyInformation.LIBCMT ref: 004240DD
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::AffinityRestriction::FindGroupAffinity.LIBCONCRT ref: 0042410E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::Manager::Resource$Affinity$Apply$Restrictions$InformationTopology$Restriction::$CleanupFindGroupLimits
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1321587334-0
                                                                                                                                                                                                                                                          • Opcode ID: 5ce29a6c13b97327d0f0ab2336e57af363d035d83133a45c4d671c3e8a63b638
                                                                                                                                                                                                                                                          • Instruction ID: c4889ef11e561a1a3ff31e98b30f9f5b19429707d2c5915f07a0561700520f68
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ce29a6c13b97327d0f0ab2336e57af363d035d83133a45c4d671c3e8a63b638
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E81DF71B041268BCB08DFA8F8805BEB7F1FB98308B95443ED542A3750E7785A80CB8D
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042806A Relevance: 15.1, APIs: 10, Instructions: 144COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 004280AF
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 004280E1
                                                                                                                                                                                                                                                          • List.LIBCONCRT ref: 0042811C
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 0042812D
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulingRing::FindScheduleGroupSegment.LIBCMT ref: 00428149
                                                                                                                                                                                                                                                          • List.LIBCONCRT ref: 00428184
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulingRing::GetNextScheduleGroupSegment.LIBCMT ref: 00428195
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 004281B0
                                                                                                                                                                                                                                                          • List.LIBCONCRT ref: 004281EB
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 004281F8
                                                                                                                                                                                                                                                            • Part of subcall function 0042756F: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00427587
                                                                                                                                                                                                                                                            • Part of subcall function 0042756F: Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00427599
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::Scheduling$Find$GroupNode::ProcessorRing::ScheduleSegmentVirtual$ListNext$AcquireConcurrency::details::_Lock::_ReaderWriteWriter
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3403738998-0
                                                                                                                                                                                                                                                          • Opcode ID: 49fcf71f40cdee32d76cff0cfec7904b1821ee1dee631ce0987f33fef910e908
                                                                                                                                                                                                                                                          • Instruction ID: 8aeab8d4bbf7423fbcf7ce8ddb08971dcb1282923b8bb6fe83053fb75a8313e0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 49fcf71f40cdee32d76cff0cfec7904b1821ee1dee631ce0987f33fef910e908
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6515070B01229ABDF04DF95D495BFEB3A8BF08304F85406EE90597382DB38AE55CB94
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00435ED0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00435F07
                                                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00435F0F
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00435F98
                                                                                                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00435FC3
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 00436018
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                          • String ID: csm$OC
                                                                                                                                                                                                                                                          • API String ID: 1170836740-3928031413
                                                                                                                                                                                                                                                          • Opcode ID: a6a2e94feb37b39f0f1ba53dbf49d821db261662eec2331d15046ea3c8626ffa
                                                                                                                                                                                                                                                          • Instruction ID: 5c566902f487a0261c70fc8ea0dcb80575b44035bd2f918777066fc367f8e5fc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6a2e94feb37b39f0f1ba53dbf49d821db261662eec2331d15046ea3c8626ffa
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F41D634A00618AFCF10DF69C885A9E7BB5AF4C328F14915BF8149B392D739DA05CF99
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00420376 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 101COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3_GS.LIBCMT ref: 0042037D
                                                                                                                                                                                                                                                          • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 004203A7
                                                                                                                                                                                                                                                            • Part of subcall function 00420A6D: Concurrency::critical_section::_Acquire_lock.LIBCONCRT ref: 00420A8A
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 004203E3
                                                                                                                                                                                                                                                          • Concurrency::details::EventWaitNode::Satisfy.LIBCONCRT ref: 00420424
                                                                                                                                                                                                                                                          • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 00420456
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 0042047C
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::_Lock::_Scoped_lock$Acquire_lockConcurrency::critical_section::_Concurrency::details::EventH_prolog3_Node::ReaderReentrantSatisfyScoped_lock::_Scoped_lock::~_WaitWriter__alloca_probe_16__freea
                                                                                                                                                                                                                                                          • String ID: $7E
                                                                                                                                                                                                                                                          • API String ID: 1319684358-1454645765
                                                                                                                                                                                                                                                          • Opcode ID: 29f8b74fe593beeb39248511adc263fdb9a2b144446be9e302d8a0cea8afd040
                                                                                                                                                                                                                                                          • Instruction ID: 672cad5c3c7fa5236748ee9396998ddb9eb70c4ee5071995017b4ddf5cd7aa72
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29f8b74fe593beeb39248511adc263fdb9a2b144446be9e302d8a0cea8afd040
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64318271B001258BDB14EF59D4415AEB7F5AF04314FA4806FE905F7342DB389E42CB99
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004289F4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00428A40
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulingNode::FindMatchingVirtualProcessor.LIBCONCRT ref: 00428A82
                                                                                                                                                                                                                                                          • Concurrency::details::InternalContextBase::GetAndResetOversubscribedVProc.LIBCMT ref: 00428A9E
                                                                                                                                                                                                                                                          • Concurrency::details::VirtualProcessor::MarkForRetirement.LIBCONCRT ref: 00428AA9
                                                                                                                                                                                                                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00428AD0
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::$Virtual$FindMatchingNode::ProcessorScheduling$Base::ContextInternalMarkOversubscribedProcProcessor::ResetRetirementstd::invalid_argument::invalid_argument
                                                                                                                                                                                                                                                          • String ID: count$ppVirtualProcessorRoots
                                                                                                                                                                                                                                                          • API String ID: 3897347962-3650809737
                                                                                                                                                                                                                                                          • Opcode ID: 2ff6bea6060bba3ce4285c56a657f39481881724b7047fecbaa045277378775a
                                                                                                                                                                                                                                                          • Instruction ID: 2bcc3e86694e4f260ce00335bd2a804c08a0b5209a42fb624f69a7e8ad7b911a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ff6bea6060bba3ce4285c56a657f39481881724b7047fecbaa045277378775a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23218E74B00228AFCB00DF55E585AAEB7B4BF45304F4440AFE801A7352DF38AE05CB98
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00428F71 Relevance: 12.1, APIs: 8, Instructions: 106timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00428F93
                                                                                                                                                                                                                                                            • Part of subcall function 00427348: __EH_prolog3_catch.LIBCMT ref: 0042734F
                                                                                                                                                                                                                                                            • Part of subcall function 00427348: Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00427388
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 00428FBA
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::GetInternalContext.LIBCONCRT ref: 00428FC6
                                                                                                                                                                                                                                                            • Part of subcall function 00427348: Concurrency::details::SchedulerBase::AddContext.LIBCONCRT ref: 00427400
                                                                                                                                                                                                                                                            • Part of subcall function 00427348: Concurrency::details::InternalContextBase::SpinUntilBlocked.LIBCMT ref: 0042740E
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::GetNextSchedulingRing.LIBCMT ref: 00429012
                                                                                                                                                                                                                                                          • Concurrency::location::_Assign.LIBCMT ref: 00429033
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::StartupVirtualProcessor.LIBCONCRT ref: 0042903B
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::ThrottlingTime.LIBCMT ref: 0042904D
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::ChangeThrottlingTimer.LIBCONCRT ref: 0042907D
                                                                                                                                                                                                                                                            • Part of subcall function 00427FAD: Concurrency::details::SchedulerBase::FoundAvailableVirtualProcessor.LIBCONCRT ref: 00427FD2
                                                                                                                                                                                                                                                            • Part of subcall function 00427FAD: Concurrency::details::VirtualProcessor::ClaimTicket::ExerciseWith.LIBCMT ref: 00427FF5
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::$Base::$Scheduler$ContextThrottling$InternalTimeVirtual$Processor$AssignAvailableBlockedChangeClaimConcurrency::location::_ExerciseFoundH_prolog3_catchNextProcessor::RingSchedulingSpinStartupTicket::TimerUntilWith
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1475861073-0
                                                                                                                                                                                                                                                          • Opcode ID: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
                                                                                                                                                                                                                                                          • Instruction ID: 6780c7f5da10cdf3d86edeba0089c415b885bc5a6ce62de2356cea10429cef9a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5f6ca3cbb7375102534bb9ce9f7030bf6bb821756b29020f3f95bdaa7addcda
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02310830B042756BCF15AA7868527FF77B66F45348F4400AFD841D7242DB2D4D46C399
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042F3A8 Relevance: 10.6, APIs: 7, Instructions: 117threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::UMS::CreateUmsCompletionList.LIBCONCRT ref: 0042F421
                                                                                                                                                                                                                                                          • Concurrency::details::InternalContextBase::ExecutedAssociatedChore.LIBCONCRT ref: 0042F43E
                                                                                                                                                                                                                                                          • Concurrency::details::InternalContextBase::WorkWasFound.LIBCONCRT ref: 0042F4A4
                                                                                                                                                                                                                                                          • Concurrency::details::InternalContextBase::ExecuteChoreInline.LIBCMT ref: 0042F4B9
                                                                                                                                                                                                                                                          • Concurrency::details::InternalContextBase::WaitForWork.LIBCONCRT ref: 0042F4CB
                                                                                                                                                                                                                                                          • Concurrency::details::InternalContextBase::CleanupDispatchedContextOnCancel.LIBCMT ref: 0042F4DB
                                                                                                                                                                                                                                                          • Concurrency::details::UMS::GetCurrentUmsThread.LIBCONCRT ref: 0042F504
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::$Context$Base::Internal$ChoreWork$AssociatedCancelCleanupCompletionCreateCurrentDispatchedExecuteExecutedFoundInlineListThreadWait
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2885714658-0
                                                                                                                                                                                                                                                          • Opcode ID: 9786a44c29cec161a6a1604cce158b70c0dc27390808a7f65a4dde63bfa21aed
                                                                                                                                                                                                                                                          • Instruction ID: 9cd44feedb7aa833a90bb8d1952c3439258c5a6cfca8de6c434743cf35c69804
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9786a44c29cec161a6a1604cce158b70c0dc27390808a7f65a4dde63bfa21aed
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72419030B002649ACF14FBA5A5557EE76B16F15308FD400BFE8466B283CBAC5A4DC76A
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042FE3F Relevance: 10.6, APIs: 7, Instructions: 102COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::InternalContextBase::ReclaimVirtualProcessor.LIBCONCRT ref: 0042FE67
                                                                                                                                                                                                                                                            • Part of subcall function 0042FBD4: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042FC07
                                                                                                                                                                                                                                                            • Part of subcall function 0042FBD4: Concurrency::details::VirtualProcessor::Deactivate.LIBCONCRT ref: 0042FC29
                                                                                                                                                                                                                                                          • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042FEE4
                                                                                                                                                                                                                                                          • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0042FEF0
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::TriggerCommitSafePoints.LIBCMT ref: 0042FEFF
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042FF09
                                                                                                                                                                                                                                                          • Concurrency::location::_Assign.LIBCMT ref: 0042FF3D
                                                                                                                                                                                                                                                          • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042FF45
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::$Base::$Context$Virtual$DeactivateGroupInternalProcessorProcessor::ScheduleSchedulerSegment$ActiveAssignCommitConcurrency::location::_EventPointsReclaimReleaseRunnableSafeTraceTrigger
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1924466884-0
                                                                                                                                                                                                                                                          • Opcode ID: e8449384a5f9dc9b5dd38d569f4022d070e0216dc75ccb23ccca7c296e2aecfc
                                                                                                                                                                                                                                                          • Instruction ID: 8e1194a41766ad5a549cc5744bf2093e1c10dc942ae5d9550bb17b2c2fdded28
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8449384a5f9dc9b5dd38d569f4022d070e0216dc75ccb23ccca7c296e2aecfc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06417C35B00214EFCB00EF64C494AADB7B5BF48304F5580BAED05AB342DB38AA05CF95
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00425B6E Relevance: 9.2, APIs: 6, Instructions: 196timeCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ListArray.LIBCONCRT ref: 00425BC8
                                                                                                                                                                                                                                                          • ListArray.LIBCONCRT ref: 00425BFC
                                                                                                                                                                                                                                                          • Hash.LIBCMT ref: 00425C65
                                                                                                                                                                                                                                                          • Hash.LIBCMT ref: 00425C75
                                                                                                                                                                                                                                                            • Part of subcall function 0042B2D1: std::bad_exception::bad_exception.LIBCMT ref: 0042B2F3
                                                                                                                                                                                                                                                          • Concurrency::details::RegisterAsyncTimerAndLoadLibrary.LIBCONCRT ref: 00425DDB
                                                                                                                                                                                                                                                          • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00425E34
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ArrayHashList$AsyncConcurrency::details::Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorLibraryLoadRegisterTimerstd::bad_exception::bad_exception
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3010677857-0
                                                                                                                                                                                                                                                          • Opcode ID: 26eebfedac65bc15b2023874d8bad98f2ee41351f2899beeff856f98595032cc
                                                                                                                                                                                                                                                          • Instruction ID: 5fc02dbe074a532c64f50f0ebda87ddb889b3cfd7700dffcf4ef007a69f26013
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 26eebfedac65bc15b2023874d8bad98f2ee41351f2899beeff856f98595032cc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E819FB0B11B22BAD308EF758445BD9FAA8BF09704F50421FF428D3281DBB8A560CBD5
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004204EF Relevance: 9.1, APIs: 6, Instructions: 73COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _SpinWait.LIBCONCRT ref: 0042054C
                                                                                                                                                                                                                                                          • Concurrency::details::WaitBlock::WaitBlock.LIBCMT ref: 00420558
                                                                                                                                                                                                                                                          • Concurrency::details::_NonReentrantPPLLock::_Scoped_lock::_Scoped_lock.LIBCONCRT ref: 00420571
                                                                                                                                                                                                                                                          • Concurrency::details::_ReaderWriterLock::_Scoped_lock::~_Scoped_lock.LIBCONCRT ref: 0042059F
                                                                                                                                                                                                                                                          • Concurrency::Context::Block.LIBCONCRT ref: 004205C1
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Wait$BlockConcurrency::details::_Lock::_Scoped_lock$Block::Concurrency::Concurrency::details::Context::ReaderReentrantScoped_lock::_Scoped_lock::~_SpinWriter
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1182035702-0
                                                                                                                                                                                                                                                          • Opcode ID: bd0f708955a5a8fa912070d565c265db3a7628838e7a338f558175f2e5054d35
                                                                                                                                                                                                                                                          • Instruction ID: 27ca713bf19b69124a7cf364d10b2d3b562ff928c133d033acb47d73f2d00879
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd0f708955a5a8fa912070d565c265db3a7628838e7a338f558175f2e5054d35
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16219170E00229AADF24DFA4E8456EFB7F0AF14314FA0051FE051A62D2E7798AC5CF59
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004331B6 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::FreeVirtualProcessorRoot::ResetOnIdle.LIBCONCRT ref: 004331E4
                                                                                                                                                                                                                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004331F3
                                                                                                                                                                                                                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004332B7
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: std::invalid_argument::invalid_argument$Concurrency::details::FreeIdleProcessorResetRoot::Virtual
                                                                                                                                                                                                                                                          • String ID: pContext$switchState
                                                                                                                                                                                                                                                          • API String ID: 2656283622-2660820399
                                                                                                                                                                                                                                                          • Opcode ID: 5b824eb0ef7b245328d494a852abdffee4a0210eb9f8304aab15037cf36cfb08
                                                                                                                                                                                                                                                          • Instruction ID: cb81628d085eb3d758d35af1822e6c5e6f57b2759df42651ce960cba08f11de6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b824eb0ef7b245328d494a852abdffee4a0210eb9f8304aab15037cf36cfb08
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C31C775B00214ABCF05EF64C885A6E7375BF48316F2045ABEC15A7392DB78EF018B98
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004364AA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • FindSITargetTypeInstance.LIBVCRUNTIME ref: 004364FD
                                                                                                                                                                                                                                                          • FindMITargetTypeInstance.LIBVCRUNTIME ref: 00436516
                                                                                                                                                                                                                                                          • PMDtoOffset.LIBCMT ref: 0043653C
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FindInstanceTargetType$Offset
                                                                                                                                                                                                                                                          • String ID: Bad dynamic_cast!
                                                                                                                                                                                                                                                          • API String ID: 1467055271-2956939130
                                                                                                                                                                                                                                                          • Opcode ID: fcebd849ab63d1729e53f72f929d2366ba41e6b9f4c98f68f6ea240b76247e9b
                                                                                                                                                                                                                                                          • Instruction ID: 95c22f989acfec91a70538da289ceccae21cf438e8dd1fd7d9b4141120d24c99
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fcebd849ab63d1729e53f72f929d2366ba41e6b9f4c98f68f6ea240b76247e9b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F6210772A00206BFCF14DE64ED06AAE77B8EB5C714F21D22FE91493285D73CE901869D
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00438829 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _wcsrchr
                                                                                                                                                                                                                                                          • String ID: .bat$.cmd$.com$.exe
                                                                                                                                                                                                                                                          • API String ID: 1752292252-4019086052
                                                                                                                                                                                                                                                          • Opcode ID: 3fb9335b4c81772db25afef3f8865aeecc0e6b8c7472962e0ee682996596e97e
                                                                                                                                                                                                                                                          • Instruction ID: 9c3f0ae0897fd244af4a759cd9991d2eefe7c68d9857e51b071df4fb4bc19f1d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fb9335b4c81772db25afef3f8865aeecc0e6b8c7472962e0ee682996596e97e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F01C877A44715262A19346AAC0262797A99BC9BB8F39102FFC44FB2C2EE9CDC41519C
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00421101 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 66COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 00421196
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
                                                                                                                                                                                                                                                          • String ID: GetCurrentProcessorNumberEx$GetThreadGroupAffinity$SetThreadGroupAffinity$kernel32.dll
                                                                                                                                                                                                                                                          • API String ID: 348560076-465693683
                                                                                                                                                                                                                                                          • Opcode ID: 4e41e14e3f625ebab50e1db1a38abdf850269e153d0f9a42ab330c742b185f2b
                                                                                                                                                                                                                                                          • Instruction ID: a46725fed7281cf1fc9daa96a106b1a6e8b56a367812bd5c3acc3d6ca2aecb04
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e41e14e3f625ebab50e1db1a38abdf850269e153d0f9a42ab330c742b185f2b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B80126A1B423212667107B793C07E7B22DC5A95759760053BF940E2262FA7CD814426D
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00433724 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • StructuredWorkStealingQueue.LIBCMT ref: 00433744
                                                                                                                                                                                                                                                            • Part of subcall function 0042E183: Mailbox.LIBCMT ref: 0042E1BD
                                                                                                                                                                                                                                                          • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00433755
                                                                                                                                                                                                                                                          • StructuredWorkStealingQueue.LIBCMT ref: 0043378B
                                                                                                                                                                                                                                                          • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 0043379C
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Work$Concurrency::details::ItemItem::QueueStealingStructured$Mailbox
                                                                                                                                                                                                                                                          • String ID: e
                                                                                                                                                                                                                                                          • API String ID: 1411586358-4024072794
                                                                                                                                                                                                                                                          • Opcode ID: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                                                                                                                                                                                                                                                          • Instruction ID: aaa9eb79467ee22d1f55b16b963371e14a5e03e9e1add8b86901d919875708a5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b6716c63c17d6c6149872910042524b7f9ebb3f5e3c7538eb01a51a2faaeb53
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C611A7F5100105ABDB50DE2AC54166B73A49F0A32AF28D16BEC018F202DB39EE01CB99
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042D005 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 64COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0042D09E
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error
                                                                                                                                                                                                                                                          • String ID: RoInitialize$RoUninitialize$combase.dll$tzF
                                                                                                                                                                                                                                                          • API String ID: 348560076-2140718660
                                                                                                                                                                                                                                                          • Opcode ID: 174b6e77d58af14c658f1137bce54b9a38cc0a8734b7cbd1d0bdd81e8f381f9c
                                                                                                                                                                                                                                                          • Instruction ID: ad79cb26a42dc004c31586bffeb7d0dc8e4a63d396bcd2ca8b79970ee7c5aa09
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 174b6e77d58af14c658f1137bce54b9a38cc0a8734b7cbd1d0bdd81e8f381f9c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12014961B4532026E710BBB52C02BAF319C5F4174CF60583BA880E2251FE6CD50583AE
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0041E6BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 59COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • WakeAllConditionVariable, xrefs: 0041E6FE
                                                                                                                                                                                                                                                          • SleepConditionVariableCS, xrefs: 0041E6F2
                                                                                                                                                                                                                                                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 0041E6D0
                                                                                                                                                                                                                                                          • kernel32.dll, xrefs: 0041E6E1
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ___scrt_fastfail
                                                                                                                                                                                                                                                          • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                                                                                                          • API String ID: 2964418898-3242537097
                                                                                                                                                                                                                                                          • Opcode ID: b675b84cc2dcb2566f46c9c583140668ac32a998e177872d747028ebb4e06587
                                                                                                                                                                                                                                                          • Instruction ID: eda7662473e8c6215adffb21f489160bc87f55f7ebebe331d447f3e2ad4aab64
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b675b84cc2dcb2566f46c9c583140668ac32a998e177872d747028ebb4e06587
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B101A7746C6B2225F6316F369C11FA712585B92F6DF102132FC40E32C0E9A8DC5485AD
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00446234 Relevance: 7.7, APIs: 5, Instructions: 199COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 004462B8
                                                                                                                                                                                                                                                          • __alloca_probe_16.LIBCMT ref: 0044637E
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 004463EA
                                                                                                                                                                                                                                                            • Part of subcall function 0043C66B: RtlAllocateHeap.NTDLL(00000000,93673986,?,?,0041EA91,93673986,?,0041911B,?,?,?,?,?,?,00406FE5,?), ref: 0043C69E
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 004463F3
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00446416
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: __freea$__alloca_probe_16$AllocateHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1423051803-0
                                                                                                                                                                                                                                                          • Opcode ID: 95b1c705879c1219a4b2c12fb1c76e0af5276391e929027b5a441507f1b43abb
                                                                                                                                                                                                                                                          • Instruction ID: 70bb42e2e0c6426baa9744f741c531200fdd6e2916c1076892019011ac23ce84
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95b1c705879c1219a4b2c12fb1c76e0af5276391e929027b5a441507f1b43abb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD510372500216ABFB249F65CC82EAB37A9EF46714F16012FFD04E7241D778DC1197AA
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042FF6D Relevance: 7.6, APIs: 5, Instructions: 117COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::location::_Assign.LIBCMT ref: 0042FFAE
                                                                                                                                                                                                                                                          • Concurrency::details::ScheduleGroupSegmentBase::AddRunnableContext.LIBCONCRT ref: 0042FFB6
                                                                                                                                                                                                                                                          • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042FFE0
                                                                                                                                                                                                                                                          • Concurrency::details::ScheduleGroupSegmentBase::ReleaseInternalContext.LIBCMT ref: 0042FFE9
                                                                                                                                                                                                                                                          • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0043006C
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::Context$Base::$GroupScheduleSegment$AssignAvailableConcurrency::location::_EventInternalMakeProcessor::ReleaseRunnableTraceVirtual
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 512098550-0
                                                                                                                                                                                                                                                          • Opcode ID: 7c4c78bc140def459cebcf4a27618dea241ead1525ace890d452c2b55dfdd071
                                                                                                                                                                                                                                                          • Instruction ID: 4b26de0c38222d72572f112a0354c4d174b16348c5e099a7604f65f8789f82aa
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c4c78bc140def459cebcf4a27618dea241ead1525ace890d452c2b55dfdd071
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E417039B00618EFCB09DF64D554AADB7B5FF89310F10816AE806A7391CB78AE01CF85
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042E949 Relevance: 7.6, APIs: 5, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::ReferenceCountedQuickBitSet::InterlockedSet.LIBCONCRT ref: 0042E9D4
                                                                                                                                                                                                                                                          • ListArray.LIBCONCRT ref: 0042E9F7
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::VirtualProcessorActive.LIBCONCRT ref: 0042EA00
                                                                                                                                                                                                                                                          • ListArray.LIBCONCRT ref: 0042EA38
                                                                                                                                                                                                                                                          • Concurrency::details::VirtualProcessor::MakeAvailable.LIBCONCRT ref: 0042EA43
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::$ArrayListVirtual$ActiveAvailableBase::CountedInterlockedMakeProcessorProcessor::QuickReferenceSchedulerSet::
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4212520697-0
                                                                                                                                                                                                                                                          • Opcode ID: ee3e49d56f27a579a2b4c82f862bae9c51033c2ebbac301f5f67fde3ce489b5e
                                                                                                                                                                                                                                                          • Instruction ID: e968773ec3fcc41d20006a7464af07248ada91c9dc38d5fb9bbfa62c34737ec5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee3e49d56f27a579a2b4c82f862bae9c51033c2ebbac301f5f67fde3ce489b5e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A31A379700220AFCB05DF56D880B6EB7A6BF89304F45009BE8069B352DB78ED41CF96
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00429D59 Relevance: 7.6, APIs: 5, Instructions: 88COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _SpinWait.LIBCONCRT ref: 00429D7E
                                                                                                                                                                                                                                                            • Part of subcall function 00420160: _SpinWait.LIBCONCRT ref: 00420178
                                                                                                                                                                                                                                                          • Concurrency::details::ContextBase::ClearAliasTable.LIBCONCRT ref: 00429D92
                                                                                                                                                                                                                                                          • Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 00429DC4
                                                                                                                                                                                                                                                          • List.LIBCMT ref: 00429E47
                                                                                                                                                                                                                                                          • List.LIBCMT ref: 00429E56
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ListSpinWait$AcquireAliasBase::ClearConcurrency::details::Concurrency::details::_ContextLock::_ReaderTableWriteWriter
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3281396844-0
                                                                                                                                                                                                                                                          • Opcode ID: 1ecd342d107a48bb8c34f179476772d6193d166a2cabfb700d2cdc518eb6e289
                                                                                                                                                                                                                                                          • Instruction ID: 4db0ee6525530f89cb22a9de412767864aa15df0160c4cef62ef78a9905ab37c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ecd342d107a48bb8c34f179476772d6193d166a2cabfb700d2cdc518eb6e289
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20319C72E01665DFCB14EFA5E5916EDBBB0BF04308F85006FD80167292CB396D14DBA9
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00432EB7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00432F31
                                                                                                                                                                                                                                                          • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 00432F78
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
                                                                                                                                                                                                                                                          • String ID: pContext
                                                                                                                                                                                                                                                          • API String ID: 3390424672-2046700901
                                                                                                                                                                                                                                                          • Opcode ID: ed8e6ded7af3bad2b60b5973929176b9acb9122ffb9f49f073efa462a81c0b24
                                                                                                                                                                                                                                                          • Instruction ID: 551cfd10e273caf28e504ebf79cadc947523fb140306e789d378e59c2554bdfd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed8e6ded7af3bad2b60b5973929176b9acb9122ffb9f49f073efa462a81c0b24
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 602105357006119BCB05AB29D995AAE73B5BF98329F04106BF411872E1CBACEC429B99
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042C4F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • List.LIBCONCRT ref: 0042C57A
                                                                                                                                                                                                                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042C59F
                                                                                                                                                                                                                                                          • Concurrency::details::FreeVirtualProcessorRoot::FreeVirtualProcessorRoot.LIBCONCRT ref: 0042C5DE
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FreeProcessorVirtual$Concurrency::details::ListRootRoot::std::invalid_argument::invalid_argument
                                                                                                                                                                                                                                                          • String ID: pExecutionResource
                                                                                                                                                                                                                                                          • API String ID: 1772865662-359481074
                                                                                                                                                                                                                                                          • Opcode ID: 5bcad39651a45bc2cbb25568f68e9741d5e80ebb67c3a2fa15eac0a986374cf3
                                                                                                                                                                                                                                                          • Instruction ID: fabf0f1aa826fe1cf659cd7b29d9896ac8e6dc308dbe6fa93518194db89522b6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5bcad39651a45bc2cbb25568f68e9741d5e80ebb67c3a2fa15eac0a986374cf3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3821D775B00215ABCB08EF55C841BAD77A5BF48304F50406FF90567282DBB8EE418BA9
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00426532 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 004265B4
                                                                                                                                                                                                                                                          • Concurrency::details::CacheLocalScheduleGroupSegment::CacheLocalScheduleGroupSegment.LIBCONCRT ref: 004265F6
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CacheGroupLocalSchedule$Concurrency::details::SegmentSegment::std::invalid_argument::invalid_argument
                                                                                                                                                                                                                                                          • String ID: count$ppVirtualProcessorRoots
                                                                                                                                                                                                                                                          • API String ID: 2663199487-3650809737
                                                                                                                                                                                                                                                          • Opcode ID: 6361e451ae052300b6d2c75e9509043c5b4fe19f1aed5e540fdfe11b5dce5766
                                                                                                                                                                                                                                                          • Instruction ID: b326208d15c5b69d292ff44550bcf52f270a02fb517e7284eafe8e5fe796d6ba
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6361e451ae052300b6d2c75e9509043c5b4fe19f1aed5e540fdfe11b5dce5766
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB21AE38B00215BFCB04EF69D892AAD77A5BF08305F50402FF90697291DB79AA41CB99
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004284AC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SafeRWList.LIBCONCRT ref: 00428503
                                                                                                                                                                                                                                                            • Part of subcall function 004264FE: Concurrency::details::_ReaderWriterLock::_AcquireWrite.LIBCONCRT ref: 0042650F
                                                                                                                                                                                                                                                            • Part of subcall function 004264FE: List.LIBCMT ref: 00426519
                                                                                                                                                                                                                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00428515
                                                                                                                                                                                                                                                          • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 0042853A
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: List$AcquireConcurrency::details::_Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorLock::_ReaderSafeWriteWriterstd::invalid_argument::invalid_argument
                                                                                                                                                                                                                                                          • String ID: eventObject
                                                                                                                                                                                                                                                          • API String ID: 1288476792-1680012138
                                                                                                                                                                                                                                                          • Opcode ID: 4a4229085f85405acfa72b7e6a4c5973518a6fc8cefbc56a01ee78bbb06c39c4
                                                                                                                                                                                                                                                          • Instruction ID: 569e615db6367cb6745cfb1ad144bec2684f8313e02b5a83b67de5c212d5ccdc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a4229085f85405acfa72b7e6a4c5973518a6fc8cefbc56a01ee78bbb06c39c4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 001125B1601214B6DB24EBA4DC4AFEF73AC5F00345FA0412FB405A60D1EF78AA4486BD
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042B77E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 35threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerProxy::GetCurrentThreadExecutionResource.LIBCMT ref: 0042B792
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::RemoveExecutionResource.LIBCONCRT ref: 0042B7B6
                                                                                                                                                                                                                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042B7C9
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Resource$Concurrency::details::Execution$CurrentManager::Proxy::RemoveSchedulerThreadstd::invalid_argument::invalid_argument
                                                                                                                                                                                                                                                          • String ID: pScheduler
                                                                                                                                                                                                                                                          • API String ID: 246774199-923244539
                                                                                                                                                                                                                                                          • Opcode ID: aacefa36a72393e2cf212a0155860692a63ed77994a9f397c1d23455f276a9d7
                                                                                                                                                                                                                                                          • Instruction ID: b26db98342b5852000fd0f46ae24f2eefec83530fc0aacbc817937c04542101a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aacefa36a72393e2cf212a0155860692a63ed77994a9f397c1d23455f276a9d7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FCF0B439B0062467C714FA11F842DAFB378DED07157A4852FF41653282EB78A946C6D9
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0043E110 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _strrchr
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3213747228-0
                                                                                                                                                                                                                                                          • Opcode ID: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
                                                                                                                                                                                                                                                          • Instruction ID: 066dfe2007c254fce6fe3ea105bf8568cca1db4c7b2401970420d2f8d6e47773
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7941c91dc3c81985f55d5af0d0e5d35b4c2fcc41726f6f06d2574da038ee3747
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69B116329022959FDB11CF6AC8417AFBBE5EF5D300F1451ABE851DB382D2399D02CB69
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00447DC9 Relevance: 6.2, APIs: 4, Instructions: 245COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: __alloca_probe_16__freea
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1635606685-0
                                                                                                                                                                                                                                                          • Opcode ID: 03c4c36842b357f94f69e0f1f43ef5169da05bdf80774c22c13b66b9a8d1fecb
                                                                                                                                                                                                                                                          • Instruction ID: be4d8779dba75646d997d3007581567f43400b012e3a07eced93f2850cc95f67
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03c4c36842b357f94f69e0f1f43ef5169da05bdf80774c22c13b66b9a8d1fecb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B81E2729042059BFF209E658882EEF7BB5DF49714F29019BE900B7241DB2DCC46CBA9
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004366DE Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AdjustPointer
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1740715915-0
                                                                                                                                                                                                                                                          • Opcode ID: 6f00521dcd9fcf3ac36ea6c79e324164a9bf9f94c49e03537700064329ca6a6c
                                                                                                                                                                                                                                                          • Instruction ID: c8a6c50e980200ccdb16a89eccd0242f9098ea48f2912343f5db305777354ec6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f00521dcd9fcf3ac36ea6c79e324164a9bf9f94c49e03537700064329ca6a6c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB51E175A01603BFDB29AF15C941BAA73A4EF0C308F25D02FE85147291E739EC91CB99
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004362A5 Relevance: 6.1, APIs: 4, Instructions: 141COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EqualOffsetTypeids
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1707706676-0
                                                                                                                                                                                                                                                          • Opcode ID: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
                                                                                                                                                                                                                                                          • Instruction ID: eb131180fae1c38c37aac0af02c543b7e62dd1229920fb52e810714dab930068
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7eba31bc2cdc899ce0d39c1d43e6a64f477002fbbb014f00cff841445868ded1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82519D35D0421AAFCF10CFA9C5805AEFBF1EF19314F16A45AEC40A7351D77AA909CB58
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00402DC0 Relevance: 6.1, APIs: 4, Instructions: 132threadCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Mtx_unlock$Cnd_broadcastCurrentThread
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3264154886-0
                                                                                                                                                                                                                                                          • Opcode ID: 645a8ec1447dd9b726dffc5775e0d5dba59c77517786aba4fa8743be43cb695e
                                                                                                                                                                                                                                                          • Instruction ID: 56ed30c72475e46c9b6f77eb07885e2a0b72ad8ecb06adcdd177128e7a9a7fbf
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 645a8ec1447dd9b726dffc5775e0d5dba59c77517786aba4fa8743be43cb695e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E41CFB09002169BDB25EB65CA44B9BB7E8FF14354F00453EE916E7780EB78E904CB85
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042F1C0 Relevance: 6.1, APIs: 4, Instructions: 123COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::ContextBase::TraceContextEvent.LIBCMT ref: 0042F1F4
                                                                                                                                                                                                                                                            • Part of subcall function 0042A5BF: Concurrency::details::ContextBase::ThrowContextEvent.LIBCONCRT ref: 0042A5E0
                                                                                                                                                                                                                                                          • Concurrency::details::InternalContextBase::FindWorkForBlockingOrNesting.LIBCONCRT ref: 0042F253
                                                                                                                                                                                                                                                          • Concurrency::details::InternalContextBase::PrepareForUse.LIBCONCRT ref: 0042F279
                                                                                                                                                                                                                                                          • Concurrency::location::_Assign.LIBCMT ref: 0042F2E6
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Context$Base::Concurrency::details::$EventInternal$AssignBlockingConcurrency::location::_FindNestingPrepareThrowTraceWork
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1091748018-0
                                                                                                                                                                                                                                                          • Opcode ID: c56fe6f2517f44fc071abdbb21b039958958394dc7ca887a7e06f1d88deac88b
                                                                                                                                                                                                                                                          • Instruction ID: 4c12cc2a82eae4145b0b698d100e22c260c69570430231bd69a72eb47849d9e8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c56fe6f2517f44fc071abdbb21b039958958394dc7ca887a7e06f1d88deac88b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65414B74700224ABCF159B65D885BAEBB74AF4A710F9000BFE40297382CF789E49C7A5
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00426D3F Relevance: 6.1, APIs: 4, Instructions: 117COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _InternalDeleteHelper.LIBCONCRT ref: 00426D82
                                                                                                                                                                                                                                                          • _InternalDeleteHelper.LIBCONCRT ref: 00426DB6
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::TraceSchedulerEvent.LIBCMT ref: 00426E1B
                                                                                                                                                                                                                                                          • SafeRWList.LIBCONCRT ref: 00426E2A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: DeleteHelperInternalScheduler$Base::Concurrency::details::EventListSafeTrace
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 893951542-0
                                                                                                                                                                                                                                                          • Opcode ID: 6335393a7519956def85d2529ae5e5388109523e38e63390ee036e6dc4eedbd3
                                                                                                                                                                                                                                                          • Instruction ID: f3ae53f95034dd64e988a215a969aaf4ec8c754606a8b25496e5ba1805424ce8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6335393a7519956def85d2529ae5e5388109523e38e63390ee036e6dc4eedbd3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B3148367002249FDF059F20D881AAE77A6AFC9714F45417AE9059B385DF74AD04CB94
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042438C Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::InitializeRMBuffers.LIBCMT ref: 0042439F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: BuffersConcurrency::details::InitializeManager::Resource
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3433162309-0
                                                                                                                                                                                                                                                          • Opcode ID: 743c5f1d943060584d064f57067e22c54fe8f4993b95126fc7cc05738b5c3501
                                                                                                                                                                                                                                                          • Instruction ID: 9c436fb916177181b9383431ac2b22bec9c88f00f5e47d5b7f3f3f451b1d87a8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 743c5f1d943060584d064f57067e22c54fe8f4993b95126fc7cc05738b5c3501
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89318935A00329DFCF10EF94D4C0BAE7BB9EB94344F4000AADD01AB346D734A905CBA5
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00432A82 Relevance: 6.1, APIs: 4, Instructions: 99COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3_catch.LIBCMT ref: 00432A89
                                                                                                                                                                                                                                                          • Concurrency::details::_TaskCollectionBase::_GetTokenState.LIBCONCRT ref: 00432AD4
                                                                                                                                                                                                                                                          • Concurrency::details::_CancellationTokenState::_RegisterCallback.LIBCONCRT ref: 00432B07
                                                                                                                                                                                                                                                          • Concurrency::details::_StructuredTaskCollection::_CountUp.LIBCMT ref: 00432BB7
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::_$TaskToken$Base::_CallbackCancellationCollectionCollection::_CountH_prolog3_catchRegisterStateState::_Structured
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2092016602-0
                                                                                                                                                                                                                                                          • Opcode ID: cc763a0195c3a4261a78c47595061bab419dd8406f8d7dd8ce2de606824989ae
                                                                                                                                                                                                                                                          • Instruction ID: 488b9ffe5e0cee44abd7fb6cb2bf935ea675e78200e755187d853be73c6cf625
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc763a0195c3a4261a78c47595061bab419dd8406f8d7dd8ce2de606824989ae
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F318D70A006159BCF14EF69C5915EEFBB1BF48314B14922EE415A7381DB78A941CB98
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0041D202 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Xtime_diff_to_millis2_xtime_get
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 531285432-0
                                                                                                                                                                                                                                                          • Opcode ID: c02af9f190d6fa0f5de75b39b28a182e4df32a586fc4f765fbec0787f750ce09
                                                                                                                                                                                                                                                          • Instruction ID: d6241fff8af4c788b0863f3c3bdebc4be770318fd68eeb35ee5327cbac98f38d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c02af9f190d6fa0f5de75b39b28a182e4df32a586fc4f765fbec0787f750ce09
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 58212175E00219AFDF00EF95DC819FEBBB9EF49714F10005AFA01A7251D7749D418BA5
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042B325 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __EH_prolog3_catch.LIBCMT ref: 0042B32C
                                                                                                                                                                                                                                                          • Concurrency::SchedulerPolicy::_ValidPolicyValue.LIBCONCRT ref: 0042B378
                                                                                                                                                                                                                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0042B38E
                                                                                                                                                                                                                                                          • std::bad_exception::bad_exception.LIBCMT ref: 0042B3FA
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: std::bad_exception::bad_exception$Concurrency::H_prolog3_catchPolicyPolicy::_SchedulerValidValue
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2033596534-0
                                                                                                                                                                                                                                                          • Opcode ID: aa56b5aa18982186d07af5db2b107cff73d9a3eaf0b45d413725f686da378f39
                                                                                                                                                                                                                                                          • Instruction ID: 720fc07a57abd56cc69cc845efb6940cdee35469630e94d12a10eed8fa079344
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa56b5aa18982186d07af5db2b107cff73d9a3eaf0b45d413725f686da378f39
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97218831A00524AFDB05EFA5E582D9DB7B4EF05318F60402FF405AB252DB796D42CB9D
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042B6B6 Relevance: 6.1, APIs: 4, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerProxy::IncrementFixedCoreCount.LIBCONCRT ref: 0042B6F9
                                                                                                                                                                                                                                                            • Part of subcall function 0042CBF0: Concurrency::details::SchedulerProxy::ToggleBorrowedState.LIBCONCRT ref: 0042CC3F
                                                                                                                                                                                                                                                          • Concurrency::details::HardwareAffinity::HardwareAffinity.LIBCMT ref: 0042B70F
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerProxy::AddExecutionResource.LIBCONCRT ref: 0042B75B
                                                                                                                                                                                                                                                            • Part of subcall function 0042C1D1: List.LIBCONCRT ref: 0042C207
                                                                                                                                                                                                                                                          • Concurrency::details::ExecutionResource::SetAsCurrent.LIBCMT ref: 0042B76B
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::$Proxy::Scheduler$ExecutionHardware$AffinityAffinity::BorrowedCoreCountCurrentFixedIncrementListResourceResource::StateToggle
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 932774601-0
                                                                                                                                                                                                                                                          • Opcode ID: 5c0d3035ca0faf7f7ed8ec5e5c1df73f658bea3f5ff218b3a1c32b8eb8b00bbe
                                                                                                                                                                                                                                                          • Instruction ID: 8bfd5995c0ffc96fc508c606afccfd85313f8fb404b5fe2b7e4c7b7f3a249cd7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c0d3035ca0faf7f7ed8ec5e5c1df73f658bea3f5ff218b3a1c32b8eb8b00bbe
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D621B231A006209FCB24EF66E9918AFB3F5FF8C304740455EE54297661CB78F901CBA9
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004304EC Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ListArray.LIBCONCRT ref: 004304FA
                                                                                                                                                                                                                                                          • ListArray.LIBCONCRT ref: 0043050C
                                                                                                                                                                                                                                                            • Part of subcall function 004305B9: _InternalDeleteHelper.LIBCONCRT ref: 004305CB
                                                                                                                                                                                                                                                          • ListArray.LIBCONCRT ref: 00430516
                                                                                                                                                                                                                                                          • _InternalDeleteHelper.LIBCONCRT ref: 0043052F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ArrayList$DeleteHelperInternal
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3844194624-0
                                                                                                                                                                                                                                                          • Opcode ID: 0eaed47ac702804114dc4f0dbaf6fe980ba0538cb8e901e216a64a3acaa133d7
                                                                                                                                                                                                                                                          • Instruction ID: 794e735e1be0b1039af2449f8edd97317683744cdb7f178d09de23eed8bd0c36
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0eaed47ac702804114dc4f0dbaf6fe980ba0538cb8e901e216a64a3acaa133d7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C012672200634FFCA11BB63D892E7EB729BF88714740222FF90057602DB28FC519AD8
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042E747 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ListArray.LIBCONCRT ref: 0042E755
                                                                                                                                                                                                                                                          • ListArray.LIBCONCRT ref: 0042E767
                                                                                                                                                                                                                                                            • Part of subcall function 0042DD42: _InternalDeleteHelper.LIBCONCRT ref: 0042DD54
                                                                                                                                                                                                                                                          • ListArray.LIBCONCRT ref: 0042E771
                                                                                                                                                                                                                                                          • _InternalDeleteHelper.LIBCONCRT ref: 0042E78A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ArrayList$DeleteHelperInternal
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3844194624-0
                                                                                                                                                                                                                                                          • Opcode ID: 14a0959522c3f5f65b46b48b4713040257448f9f9029b1588f58a37af8afb995
                                                                                                                                                                                                                                                          • Instruction ID: 66966411fb7aac5f52645cbb3a10f3643f2526897b69ee2ffaef0c5811e3eac6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14a0959522c3f5f65b46b48b4713040257448f9f9029b1588f58a37af8afb995
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C901D671700535AFCA257B63E8C2F7EBB69BFC4718380412FF9045B611DB28AC519698
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00434A4E Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulingNode::FindVirtualProcessor.LIBCMT ref: 00434A68
                                                                                                                                                                                                                                                          • Concurrency::details::VirtualProcessor::ServiceMark.LIBCMT ref: 00434A7C
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulingNode::GetNextVirtualProcessor.LIBCMT ref: 00434A94
                                                                                                                                                                                                                                                          • Concurrency::details::WorkItem::WorkItem.LIBCMT ref: 00434AAC
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::$Virtual$Node::ProcessorSchedulingWork$FindItemItem::MarkNextProcessor::Service
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 78362717-0
                                                                                                                                                                                                                                                          • Opcode ID: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                                                                                                                                                                                                                                                          • Instruction ID: 5e018d28ffd389c31a54de4656559a7545d1a44792d5484d11b79d83e6793cfc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed5c3284882ece478fbb3367f1f8f5dbd69f78bf790bb9c4c006e6817b181867
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D01DF32640214B7CB11BE958841AEF77999F88364F00101AFC11A7282DA28FD0186A8
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00425F15 Relevance: 6.0, APIs: 4, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ListArray.LIBCONCRT ref: 00425F23
                                                                                                                                                                                                                                                          • ListArray.LIBCONCRT ref: 00425F35
                                                                                                                                                                                                                                                            • Part of subcall function 00426BE5: _InternalDeleteHelper.LIBCONCRT ref: 00426BF4
                                                                                                                                                                                                                                                          • ListArray.LIBCONCRT ref: 00425F3F
                                                                                                                                                                                                                                                          • _InternalDeleteHelper.LIBCONCRT ref: 00425F58
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ArrayList$DeleteHelperInternal
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3844194624-0
                                                                                                                                                                                                                                                          • Opcode ID: b324f218ed25e5c4ce0825d069f4a63b177ba66ff6d37603220d768471d08d3b
                                                                                                                                                                                                                                                          • Instruction ID: 2e11b408423eab739df10cc75d27c0275182865f1930689a50cfe0d1490f8327
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b324f218ed25e5c4ce0825d069f4a63b177ba66ff6d37603220d768471d08d3b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A001F772300534AFCA127B56E982A7E7B19BF447143C1002AF9009B611DF28FC51D698
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042ABA0 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::SchedulerBase::CurrentContext.LIBCMT ref: 0042ABA9
                                                                                                                                                                                                                                                            • Part of subcall function 00420B5B: Concurrency::details::SchedulerBase::GetDefaultScheduler.LIBCONCRT ref: 00426B16
                                                                                                                                                                                                                                                          • Concurrency::details::ContextBase::CancelCollection.LIBCONCRT ref: 0042ABCD
                                                                                                                                                                                                                                                          • Concurrency::details::_TaskCollectionBase::_FinishCancelState.LIBCMT ref: 0042ABE0
                                                                                                                                                                                                                                                          • Concurrency::details::ContextBase::CancelStealers.LIBCMT ref: 0042ABE9
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Base::Concurrency::details::$CancelContextScheduler$Collection$Base::_Concurrency::details::_CurrentDefaultFinishStateStealersTask
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 218105897-0
                                                                                                                                                                                                                                                          • Opcode ID: 4615e97fafe502f6002d1074aebf71b8ed261496fd89dd89418fafc456e0ff3f
                                                                                                                                                                                                                                                          • Instruction ID: 72a60aebb2cb11d353bc7d35cd417bc944a5addc28d70032b9643893ace0919a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4615e97fafe502f6002d1074aebf71b8ed261496fd89dd89418fafc456e0ff3f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22F0A030300A305FE620AA25A811F6A77D59F44319F40845FE96ADB282CA6CFD42CB5A
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0043F603 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe, xrefs: 0043F608
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\09fd851a4f\explorha.exe
                                                                                                                                                                                                                                                          • API String ID: 0-1970481934
                                                                                                                                                                                                                                                          • Opcode ID: 984e6ece7c39cc25d6cc2f2cb339e5a973110b3607d35a159d0794f41c835e38
                                                                                                                                                                                                                                                          • Instruction ID: a1de9db270b14ccff043861af16c459dfc8b98580019e7b6a16d373c2a263b25
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 984e6ece7c39cc25d6cc2f2cb339e5a973110b3607d35a159d0794f41c835e38
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0521AA71E002056F9B20AF668C82D67B39D9F4C368F11553BF86497261EB39EC0647AD
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00432015 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::RegisterAsyncWaitAndLoadLibrary.LIBCONCRT ref: 00432087
                                                                                                                                                                                                                                                          • Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_error.LIBCONCRT ref: 004320DA
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AsyncConcurrency::details::Concurrency::scheduler_resource_allocation_error::scheduler_resource_allocation_errorLibraryLoadRegisterWait
                                                                                                                                                                                                                                                          • String ID: >sB
                                                                                                                                                                                                                                                          • API String ID: 3925076270-1299454721
                                                                                                                                                                                                                                                          • Opcode ID: 11f84e551061dadf3147726817d5385d5284f7641b4dedee8090924b40a1670b
                                                                                                                                                                                                                                                          • Instruction ID: e2b985995aefb7e49387c1e13a2518835c4f7a6434969cdfd7e07578add78967
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 11f84e551061dadf3147726817d5385d5284f7641b4dedee8090924b40a1670b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D113F71A413106AD714B7755D46F9F36AC5F46344F24103BFE44FB151E9A8D90483BE
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00432D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::FreeVirtualProcessorRoot::SpinUntilIdle.LIBCONCRT ref: 00432DF1
                                                                                                                                                                                                                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00432E3C
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::FreeIdleProcessorRoot::SpinUntilVirtualstd::invalid_argument::invalid_argument
                                                                                                                                                                                                                                                          • String ID: pContext
                                                                                                                                                                                                                                                          • API String ID: 3390424672-2046700901
                                                                                                                                                                                                                                                          • Opcode ID: 667d34521df6348001af9065cee2be596689d5e3e671a6e3555f695d22da1139
                                                                                                                                                                                                                                                          • Instruction ID: b52928233badab44033ed667073f093d91670c48507dddb66083a35a16eb115d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 667d34521df6348001af9065cee2be596689d5e3e671a6e3555f695d22da1139
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B113636A002109BCF09EF24C58656E7365AF4C365F14406BEC12A7382DBBCED068BD9
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 004222EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::_NonReentrantLock::_Acquire.LIBCONCRT ref: 00422367
                                                                                                                                                                                                                                                          • Concurrency::details::ResourceManager::ResourceManager.LIBCONCRT ref: 004223BA
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Resource$AcquireConcurrency::details::Concurrency::details::_Lock::_ManagerManager::Reentrant
                                                                                                                                                                                                                                                          • String ID: `zF
                                                                                                                                                                                                                                                          • API String ID: 3303180142-4260980715
                                                                                                                                                                                                                                                          • Opcode ID: db6c7a1aaef1f0b940bf7cbc766dc7a5416d7456c87fc561f3a7a39516a80da3
                                                                                                                                                                                                                                                          • Instruction ID: fb0a49a511b617d03a9bbbdb883fa46d86f118b452410df5caefec768379d9cd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db6c7a1aaef1f0b940bf7cbc766dc7a5416d7456c87fc561f3a7a39516a80da3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37019271B09225AADB14EFBA751175E6AD06F14348FA4006FFC05EB282DBBC4E81475E
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0041E164 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateSemaphoreExW.KERNEL32(?,00427C73,00000000,00000000,7FFFFFFF,00000000,00000000,001F0003,00000000), ref: 0041E18C
                                                                                                                                                                                                                                                          • CreateSemaphoreW.KERNEL32(?,00427C73,00000000,00000000,7FFFFFFF,00000000,00000000,001F0003,00000000), ref: 0041E1AE
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateSemaphore
                                                                                                                                                                                                                                                          • String ID: s|B
                                                                                                                                                                                                                                                          • API String ID: 1078844751-2997754205
                                                                                                                                                                                                                                                          • Opcode ID: f8aeaf3269e71b8dd312926becc761732bf3480156c93350c4f5f83950d26c29
                                                                                                                                                                                                                                                          • Instruction ID: b34beb50a72997b5839a885cb19b4a76d6044d74c33bac99d10f135ac6b00ab1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8aeaf3269e71b8dd312926becc761732bf3480156c93350c4f5f83950d26c29
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6F0B23A504129BBCF125F91DC049EE7F26FB08B50B088066FD0966220D6729961EFEA
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0042CFBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::details::FreeThreadProxy::ReturnIdleProxy.LIBCONCRT ref: 0042CFDE
                                                                                                                                                                                                                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0042CFF1
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::details::FreeIdleProxyProxy::ReturnThreadstd::invalid_argument::invalid_argument
                                                                                                                                                                                                                                                          • String ID: pContext
                                                                                                                                                                                                                                                          • API String ID: 548886458-2046700901
                                                                                                                                                                                                                                                          • Opcode ID: 672dbed385d96e98abb20d19bed3e5f2993356382bdae5a7b2955a7aa3672016
                                                                                                                                                                                                                                                          • Instruction ID: 5122d4b594f9d08e3291c9af6b21987fc0eadca1832e0362a790bd360af52ddb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 672dbed385d96e98abb20d19bed3e5f2993356382bdae5a7b2955a7aa3672016
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7AE09B3AB0021467CF00BB65D849C9DB77D5E84756B15005BB911A3395DB78EA04C5D9
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00424B5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00424B8C
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000002.00000002.3574110062.0000000000401000.00000040.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3570956051.0000000000400000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3574110062.0000000000464000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3584190612.0000000000469000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3586390753.000000000046B000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3588978463.0000000000477000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598116189.00000000005D3000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598415913.00000000005D6000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005E9000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3598926800.00000000005F6000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3600414579.0000000000610000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3601764289.0000000000611000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3602576032.0000000000625000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3604360514.0000000000639000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606175481.0000000000652000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3606836184.0000000000657000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607432158.0000000000658000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607635738.000000000065C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607699912.0000000000663000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607810374.0000000000667000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607854629.0000000000675000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607914398.0000000000679000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3607958757.000000000067A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608014889.000000000067C000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608063972.0000000000683000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608122203.0000000000689000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608198710.000000000068A000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608311115.000000000068D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608445488.000000000068E000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608528411.0000000000696000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608622527.00000000006AC000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608665793.00000000006AD000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608726381.00000000006B7000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3608772421.00000000006B8000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3610707203.00000000006C9000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006CA000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3611972678.00000000006D7000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3615390168.0000000000706000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3617807431.0000000000707000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3620560475.0000000000708000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3622698683.000000000070E000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623260304.0000000000710000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3623896228.000000000071D000.00000040.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000002.00000002.3625181917.000000000071F000.00000080.00000001.01000000.00000007.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_2_2_400000_explorha.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: std::invalid_argument::invalid_argument
                                                                                                                                                                                                                                                          • String ID: pScheduler$version
                                                                                                                                                                                                                                                          • API String ID: 2141394445-3154422776
                                                                                                                                                                                                                                                          • Opcode ID: ceb3c8117c5620a7b943d2307d474c56f0c7525ec81d37288a8ab1280d16bb41
                                                                                                                                                                                                                                                          • Instruction ID: 7a6d803b7956b38666fa5d738c61394bb376cab15d5bf3bdd7295e098fa6daad
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ceb3c8117c5620a7b943d2307d474c56f0c7525ec81d37288a8ab1280d16bb41
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2E08634A40218B6CF15FA65E80AFDD3B68DB1035AF90811778102109197FCE6CCCAC9
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:4.4%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                          Signature Coverage:0.8%
                                                                                                                                                                                                                                                          Total number of Nodes:1357
                                                                                                                                                                                                                                                          Total number of Limit Nodes:37
                                                                                                                                                                                                                                                          execution_graph 8999 6c881080 9000 6c885420 26 API calls 8999->9000 9001 6c881091 9000->9001 9004 6c886198 9001->9004 9007 6c88616b 9004->9007 9008 6c88617a 9007->9008 9009 6c886181 9007->9009 9013 6c88a85e 9008->9013 9016 6c88a8ca 9009->9016 9012 6c88109b 9014 6c88a8ca 28 API calls 9013->9014 9015 6c88a870 9014->9015 9015->9012 9019 6c88a5e1 9016->9019 9020 6c88a5ed CallCatchBlock 9019->9020 9027 6c88b504 EnterCriticalSection 9020->9027 9022 6c88a5fb 9028 6c88a65b 9022->9028 9024 6c88a608 9038 6c88a630 9024->9038 9027->9022 9029 6c88a677 9028->9029 9030 6c88a6ee _free 9028->9030 9029->9030 9031 6c88a6ce 9029->9031 9041 6c88caa7 9029->9041 9030->9024 9031->9030 9033 6c88caa7 28 API calls 9031->9033 9035 6c88a6e4 9033->9035 9034 6c88a6c4 9036 6c88b63f _free 14 API calls 9034->9036 9037 6c88b63f _free 14 API calls 9035->9037 9036->9031 9037->9030 9069 6c88b54c LeaveCriticalSection 9038->9069 9040 6c88a619 9040->9012 9042 6c88cacf 9041->9042 9043 6c88cab4 9041->9043 9045 6c88cade 9042->9045 9050 6c88ea76 9042->9050 9043->9042 9044 6c88cac0 9043->9044 9046 6c88b3b6 _free 14 API calls 9044->9046 9057 6c88eaa9 9045->9057 9049 6c88cac5 ___scrt_fastfail 9046->9049 9049->9034 9051 6c88ea81 9050->9051 9052 6c88ea96 HeapSize 9050->9052 9053 6c88b3b6 _free 14 API calls 9051->9053 9052->9045 9054 6c88ea86 9053->9054 9055 6c889720 ___std_exception_copy 25 API calls 9054->9055 9056 6c88ea91 9055->9056 9056->9045 9058 6c88eac1 9057->9058 9059 6c88eab6 9057->9059 9061 6c88eac9 9058->9061 9067 6c88ead2 _free 9058->9067 9060 6c88b563 15 API calls 9059->9060 9065 6c88eabe 9060->9065 9062 6c88b63f _free 14 API calls 9061->9062 9062->9065 9063 6c88eafc HeapReAlloc 9063->9065 9063->9067 9064 6c88ead7 9066 6c88b3b6 _free 14 API calls 9064->9066 9065->9049 9066->9065 9067->9063 9067->9064 9068 6c889bd5 _free 2 API calls 9067->9068 9068->9067 9069->9040 7766 6c884700 7839 6c885210 7766->7839 7768 6c884740 7853 6c8822b0 7768->7853 7771 6c885210 26 API calls 7772 6c88476f 7771->7772 7773 6c8822b0 41 API calls 7772->7773 7775 6c884777 7773->7775 7774 6c88486d 7776 6c885210 26 API calls 7774->7776 7778 6c884811 7775->7778 7891 6c889730 7775->7891 7779 6c88487f 7776->7779 7777 6c885210 26 API calls 7780 6c884838 7777->7780 7778->7774 7778->7777 7782 6c8822b0 41 API calls 7779->7782 7783 6c8822b0 41 API calls 7780->7783 7784 6c884887 7782->7784 7785 6c88483f 7783->7785 7786 6c8848b4 7784->7786 7788 6c885210 26 API calls 7784->7788 7787 6c885210 26 API calls 7785->7787 7791 6c8848d8 7786->7791 7896 6c885100 7786->7896 7789 6c884857 7787->7789 7790 6c8848ac 7788->7790 7792 6c8822b0 41 API calls 7789->7792 7793 6c8822b0 41 API calls 7790->7793 7796 6c8848ef 7791->7796 7799 6c885100 25 API calls 7791->7799 7795 6c88485e 7792->7795 7793->7786 7866 6c882e50 7795->7866 7797 6c884941 7796->7797 7800 6c885210 26 API calls 7796->7800 7801 6c885210 26 API calls 7797->7801 7799->7796 7802 6c88490c 7800->7802 7803 6c884953 7801->7803 7804 6c8822b0 41 API calls 7802->7804 7805 6c8822b0 41 API calls 7803->7805 7807 6c884913 7804->7807 7806 6c88495b 7805->7806 7808 6c884988 7806->7808 7810 6c885210 26 API calls 7806->7810 7809 6c885210 26 API calls 7807->7809 7813 6c8849ac 7808->7813 7816 6c885100 25 API calls 7808->7816 7811 6c88492b 7809->7811 7812 6c884980 7810->7812 7814 6c8822b0 41 API calls 7811->7814 7815 6c8822b0 41 API calls 7812->7815 7818 6c8849c3 7813->7818 7820 6c885100 25 API calls 7813->7820 7817 6c884932 7814->7817 7815->7808 7816->7813 7819 6c882e50 36 API calls 7817->7819 7821 6c884a15 7818->7821 7823 6c885210 26 API calls 7818->7823 7819->7797 7820->7818 7879 6c884660 7821->7879 7824 6c8849e0 7823->7824 7825 6c8822b0 41 API calls 7824->7825 7826 6c8849e7 7825->7826 7827 6c885210 26 API calls 7826->7827 7828 6c8849ff 7827->7828 7829 6c8822b0 41 API calls 7828->7829 7830 6c884a06 7829->7830 7831 6c882e50 36 API calls 7830->7831 7831->7821 7832 6c885020 Sleep 7838 6c884a1d 7832->7838 7833 6c8851d0 26 API calls 7833->7838 7834 6c885150 25 API calls 7834->7838 7835 6c8850a0 26 API calls 7835->7838 7836 6c885100 25 API calls 7836->7838 7837 6c885210 26 API calls 7837->7838 7838->7832 7838->7833 7838->7834 7838->7835 7838->7836 7838->7837 7840 6c885236 7839->7840 7841 6c88523d 7840->7841 7842 6c885291 7840->7842 7843 6c885272 7840->7843 7841->7768 7848 6c885e63 26 API calls 7842->7848 7851 6c885286 ___scrt_uninitialize_crt 7842->7851 7844 6c8852c9 7843->7844 7845 6c885279 7843->7845 7914 6c881260 7844->7914 7901 6c885e63 7845->7901 7848->7851 7849 6c88527f 7850 6c889730 25 API calls 7849->7850 7849->7851 7852 6c8852d3 7850->7852 7851->7768 8107 6c882080 7853->8107 7859 6c8823c8 7862 6c889730 25 API calls 7859->7862 7860 6c882318 7860->7859 7863 6c8823a2 7860->7863 7861 6c885e21 __ehhandler$___std_fs_get_file_id@8 5 API calls 7864 6c8823c4 7861->7864 7865 6c8823cd 7862->7865 7863->7861 7864->7771 7864->7775 8425 6c885420 7866->8425 7868 6c882ea5 7869 6c885210 26 API calls 7868->7869 7870 6c882eba 7869->7870 7871 6c885210 26 API calls 7870->7871 7872 6c882ecc 7871->7872 8440 6c881300 7872->8440 7875 6c885210 26 API calls 7876 6c882eed 7875->7876 7877 6c885420 26 API calls 7876->7877 7878 6c882f13 7877->7878 7880 6c884669 7879->7880 7881 6c88467a 7879->7881 7883 6c885420 26 API calls 7880->7883 7882 6c884694 7881->7882 7884 6c885420 26 API calls 7881->7884 7885 6c8846ae 7882->7885 7886 6c885420 26 API calls 7882->7886 7883->7881 7884->7882 7887 6c8846c8 7885->7887 7888 6c885420 26 API calls 7885->7888 7886->7885 7889 6c8846e2 7887->7889 7890 6c885420 26 API calls 7887->7890 7888->7887 7889->7838 7890->7889 7892 6c8896bc ___std_exception_copy 25 API calls 7891->7892 7893 6c88973f 7892->7893 7894 6c88974d ___std_exception_copy 11 API calls 7893->7894 7895 6c88974c 7894->7895 7897 6c88510b 7896->7897 7898 6c885126 7896->7898 7897->7898 7899 6c889730 25 API calls 7897->7899 7898->7791 7900 6c88514a 7899->7900 7902 6c885e68 ___std_exception_copy 7901->7902 7903 6c885e82 7902->7903 7905 6c885e84 7902->7905 7929 6c889bd5 7902->7929 7903->7849 7906 6c881260 Concurrency::cancel_current_task 7905->7906 7907 6c885e8e 7905->7907 7920 6c8871a3 7906->7920 7909 6c8871a3 std::_Xinvalid_argument RaiseException 7907->7909 7911 6c886730 7909->7911 7910 6c88127c 7923 6c887121 7910->7923 7915 6c88126e Concurrency::cancel_current_task 7914->7915 7916 6c8871a3 std::_Xinvalid_argument RaiseException 7915->7916 7917 6c88127c 7916->7917 7918 6c887121 ___std_exception_copy 25 API calls 7917->7918 7919 6c8812a3 7918->7919 7919->7849 7921 6c8871ed RaiseException 7920->7921 7922 6c8871bd 7920->7922 7921->7910 7922->7921 7924 6c88712e ___std_exception_copy 7923->7924 7928 6c8812a3 7923->7928 7927 6c88715b 7924->7927 7924->7928 7932 6c88ab70 7924->7932 7941 6c88aad5 7927->7941 7928->7849 8096 6c889c02 7929->8096 7933 6c88ab7d 7932->7933 7936 6c88ab8b 7932->7936 7933->7936 7939 6c88aba2 7933->7939 7935 6c88ab93 7947 6c889720 7935->7947 7944 6c88b3b6 7936->7944 7938 6c88ab9d 7938->7927 7939->7938 7940 6c88b3b6 _free 14 API calls 7939->7940 7940->7935 7942 6c88b63f _free 14 API calls 7941->7942 7943 6c88aaed 7942->7943 7943->7928 7950 6c88b153 GetLastError 7944->7950 7946 6c88b3bb 7946->7935 8070 6c8896bc 7947->8070 7949 6c88972c 7949->7938 7951 6c88b16a 7950->7951 7952 6c88b170 7950->7952 7973 6c88cd89 7951->7973 7970 6c88b176 SetLastError 7952->7970 7978 6c88cdc8 7952->7978 7959 6c88b1bd 7961 6c88cdc8 _free 6 API calls 7959->7961 7960 6c88b1a6 7962 6c88cdc8 _free 6 API calls 7960->7962 7963 6c88b1c9 7961->7963 7964 6c88b1b4 7962->7964 7965 6c88b1cd 7963->7965 7966 6c88b1de 7963->7966 7990 6c88b63f 7964->7990 7967 6c88cdc8 _free 6 API calls 7965->7967 7996 6c88adfe 7966->7996 7967->7964 7970->7946 7972 6c88b63f _free 12 API calls 7972->7970 8001 6c88cc29 7973->8001 7975 6c88cda5 7976 6c88cdae 7975->7976 7977 6c88cdc0 TlsGetValue 7975->7977 7976->7952 7979 6c88cc29 _free 5 API calls 7978->7979 7980 6c88cde4 7979->7980 7981 6c88b18e 7980->7981 7982 6c88ce02 TlsSetValue 7980->7982 7981->7970 7983 6c88b5e2 7981->7983 7989 6c88b5ef _free 7983->7989 7984 6c88b62f 7987 6c88b3b6 _free 13 API calls 7984->7987 7985 6c88b61a RtlAllocateHeap 7986 6c88b19e 7985->7986 7985->7989 7986->7959 7986->7960 7987->7986 7988 6c889bd5 _free 2 API calls 7988->7989 7989->7984 7989->7985 7989->7988 7991 6c88b64a HeapFree 7990->7991 7992 6c88b673 _free 7990->7992 7991->7992 7993 6c88b65f 7991->7993 7992->7970 7994 6c88b3b6 _free 12 API calls 7993->7994 7995 6c88b665 GetLastError 7994->7995 7995->7992 8014 6c88ac92 7996->8014 8002 6c88cc53 _free 8001->8002 8003 6c88cc57 8001->8003 8002->7975 8003->8002 8007 6c88cb62 8003->8007 8006 6c88cc71 GetProcAddress 8006->8002 8012 6c88cb73 ___vcrt_FlsFree 8007->8012 8008 6c88cc1e 8008->8002 8008->8006 8009 6c88cb91 LoadLibraryExW 8010 6c88cbac GetLastError 8009->8010 8009->8012 8010->8012 8011 6c88cc07 FreeLibrary 8011->8012 8012->8008 8012->8009 8012->8011 8013 6c88cbdf LoadLibraryExW 8012->8013 8013->8012 8015 6c88ac9e CallCatchBlock 8014->8015 8028 6c88b504 EnterCriticalSection 8015->8028 8017 6c88aca8 8029 6c88acd8 8017->8029 8020 6c88ada4 8021 6c88adb0 CallCatchBlock 8020->8021 8033 6c88b504 EnterCriticalSection 8021->8033 8023 6c88adba 8034 6c88af85 8023->8034 8025 6c88add2 8038 6c88adf2 8025->8038 8028->8017 8032 6c88b54c LeaveCriticalSection 8029->8032 8031 6c88acc6 8031->8020 8032->8031 8033->8023 8035 6c88af94 __fassign 8034->8035 8037 6c88afbb __fassign 8034->8037 8035->8037 8041 6c88db2d 8035->8041 8037->8025 8069 6c88b54c LeaveCriticalSection 8038->8069 8040 6c88ade0 8040->7972 8042 6c88dbad 8041->8042 8046 6c88db43 8041->8046 8043 6c88dbfb 8042->8043 8045 6c88b63f _free 14 API calls 8042->8045 8044 6c88dc9e __fassign 14 API calls 8043->8044 8065 6c88dc09 8044->8065 8048 6c88dbcf 8045->8048 8046->8042 8047 6c88db76 8046->8047 8051 6c88b63f _free 14 API calls 8046->8051 8049 6c88db98 8047->8049 8056 6c88b63f _free 14 API calls 8047->8056 8050 6c88b63f _free 14 API calls 8048->8050 8053 6c88b63f _free 14 API calls 8049->8053 8052 6c88dbe2 8050->8052 8055 6c88db6b 8051->8055 8057 6c88b63f _free 14 API calls 8052->8057 8058 6c88dba2 8053->8058 8054 6c88dc69 8060 6c88b63f _free 14 API calls 8054->8060 8061 6c88df6d ___free_lconv_mon 14 API calls 8055->8061 8062 6c88db8d 8056->8062 8063 6c88dbf0 8057->8063 8059 6c88b63f _free 14 API calls 8058->8059 8059->8042 8064 6c88dc6f 8060->8064 8061->8047 8066 6c88e06b __fassign 14 API calls 8062->8066 8067 6c88b63f _free 14 API calls 8063->8067 8064->8037 8065->8054 8068 6c88b63f 14 API calls _free 8065->8068 8066->8049 8067->8043 8068->8065 8069->8040 8071 6c88b153 _free 14 API calls 8070->8071 8072 6c8896c7 8071->8072 8074 6c8896d5 8072->8074 8078 6c88974d IsProcessorFeaturePresent 8072->8078 8074->7949 8075 6c88971f 8076 6c8896bc ___std_exception_copy 25 API calls 8075->8076 8077 6c88972c 8076->8077 8077->7949 8079 6c889759 8078->8079 8082 6c889574 8079->8082 8083 6c889590 ___scrt_fastfail 8082->8083 8084 6c8895bc IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8083->8084 8087 6c88968d ___scrt_fastfail 8084->8087 8086 6c8896ab GetCurrentProcess TerminateProcess 8086->8075 8088 6c885e21 8087->8088 8089 6c885e2a 8088->8089 8090 6c885e2c IsProcessorFeaturePresent 8088->8090 8089->8086 8092 6c8861e9 8090->8092 8095 6c8861ad SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8092->8095 8094 6c8862cc 8094->8086 8095->8094 8097 6c889c0e CallCatchBlock 8096->8097 8102 6c88b504 EnterCriticalSection 8097->8102 8099 6c889c19 8103 6c889c55 8099->8103 8102->8099 8106 6c88b54c LeaveCriticalSection 8103->8106 8105 6c889be0 8105->7902 8106->8105 8126 6c8852e0 8107->8126 8109 6c8820aa 8110 6c882120 8109->8110 8111 6c8852e0 26 API calls 8110->8111 8112 6c882154 8111->8112 8113 6c882286 8112->8113 8169 6c889b92 8112->8169 8115 6c881ed0 8113->8115 8116 6c885e63 26 API calls 8115->8116 8124 6c881f5a 8116->8124 8117 6c882028 8118 6c88204e 8117->8118 8121 6c882076 8117->8121 8119 6c885e21 __ehhandler$___std_fs_get_file_id@8 5 API calls 8118->8119 8120 6c882072 8119->8120 8120->7860 8122 6c889730 25 API calls 8121->8122 8123 6c88207b 8122->8123 8124->8117 8410 6c885770 8124->8410 8129 6c88531f 8126->8129 8130 6c8852f8 ___scrt_fastfail 8126->8130 8127 6c885408 8141 6c885b70 8127->8141 8129->8127 8132 6c885398 8129->8132 8133 6c885373 8129->8133 8130->8109 8131 6c88540d 8134 6c881260 Concurrency::cancel_current_task 26 API calls 8131->8134 8137 6c885e63 26 API calls 8132->8137 8138 6c885384 ___scrt_fastfail 8132->8138 8133->8131 8136 6c885e63 26 API calls 8133->8136 8135 6c885412 8134->8135 8136->8138 8137->8138 8139 6c889730 25 API calls 8138->8139 8140 6c8853ea 8138->8140 8139->8127 8140->8109 8158 6c885de1 8141->8158 8163 6c885d40 8158->8163 8161 6c8871a3 std::_Xinvalid_argument RaiseException 8162 6c885e00 8161->8162 8166 6c885cf0 8163->8166 8167 6c887121 ___std_exception_copy 25 API calls 8166->8167 8168 6c885d1c 8167->8168 8168->8161 8170 6c889bae __fassign 8169->8170 8171 6c889ba0 8169->8171 8170->8112 8174 6c889b59 8171->8174 8179 6c8899f2 8174->8179 8178 6c889b7d 8178->8112 8180 6c889a09 8179->8180 8181 6c889a12 8179->8181 8187 6c889adb 8180->8187 8181->8180 8193 6c88affc GetLastError 8181->8193 8188 6c889b18 8187->8188 8189 6c889ae8 8187->8189 8376 6c88b24e 8188->8376 8192 6c889af7 __fassign 8189->8192 8369 6c88b272 8189->8369 8192->8178 8194 6c88b019 8193->8194 8195 6c88b013 8193->8195 8197 6c88cdc8 _free 6 API calls 8194->8197 8217 6c88b01f SetLastError 8194->8217 8196 6c88cd89 _free 6 API calls 8195->8196 8196->8194 8198 6c88b037 8197->8198 8199 6c88b5e2 _free 14 API calls 8198->8199 8198->8217 8201 6c88b047 8199->8201 8202 6c88b04f 8201->8202 8203 6c88b066 8201->8203 8206 6c88cdc8 _free 6 API calls 8202->8206 8208 6c88cdc8 _free 6 API calls 8203->8208 8204 6c889a32 8220 6c88b3c9 8204->8220 8205 6c88b0b3 8228 6c88ab2c 8205->8228 8209 6c88b05d 8206->8209 8211 6c88b072 8208->8211 8214 6c88b63f _free 14 API calls 8209->8214 8212 6c88b076 8211->8212 8213 6c88b087 8211->8213 8215 6c88cdc8 _free 6 API calls 8212->8215 8216 6c88adfe _free 14 API calls 8213->8216 8214->8217 8215->8209 8218 6c88b092 8216->8218 8217->8204 8217->8205 8219 6c88b63f _free 14 API calls 8218->8219 8219->8217 8221 6c88b3dc 8220->8221 8222 6c889a48 8220->8222 8221->8222 8326 6c88dd79 8221->8326 8224 6c88b3f6 8222->8224 8225 6c88b409 8224->8225 8226 6c88b41e 8224->8226 8225->8226 8348 6c88c5b4 8225->8348 8226->8180 8239 6c88d2bc 8228->8239 8231 6c88ab3c 8233 6c88ab65 8231->8233 8234 6c88ab46 IsProcessorFeaturePresent 8231->8234 8269 6c88a075 8233->8269 8235 6c88ab52 8234->8235 8237 6c889574 __FrameHandler3::FrameUnwindToState 8 API calls 8235->8237 8237->8233 8272 6c88d1ee 8239->8272 8242 6c88d30a 8243 6c88d316 CallCatchBlock 8242->8243 8244 6c88b153 _free 14 API calls 8243->8244 8248 6c88d343 __FrameHandler3::FrameUnwindToState 8243->8248 8249 6c88d33d __FrameHandler3::FrameUnwindToState 8243->8249 8244->8249 8245 6c88d388 8246 6c88b3b6 _free 14 API calls 8245->8246 8247 6c88d38d 8246->8247 8250 6c889720 ___std_exception_copy 25 API calls 8247->8250 8252 6c88d3b4 8248->8252 8282 6c88b504 EnterCriticalSection 8248->8282 8249->8245 8249->8248 8268 6c88d372 8249->8268 8250->8268 8254 6c88d3fc 8252->8254 8255 6c88d4f1 8252->8255 8265 6c88d427 8252->8265 8254->8265 8283 6c88d301 8254->8283 8257 6c88d4fc 8255->8257 8290 6c88b54c LeaveCriticalSection 8255->8290 8259 6c88a075 __FrameHandler3::FrameUnwindToState 23 API calls 8257->8259 8261 6c88d504 8259->8261 8262 6c88affc _unexpected 37 API calls 8266 6c88d47b 8262->8266 8264 6c88d301 __FrameHandler3::FrameUnwindToState 37 API calls 8264->8265 8286 6c88d49d 8265->8286 8267 6c88affc _unexpected 37 API calls 8266->8267 8266->8268 8267->8268 8268->8231 8292 6c889f1b 8269->8292 8273 6c88d1fa CallCatchBlock 8272->8273 8278 6c88b504 EnterCriticalSection 8273->8278 8275 6c88d208 8279 6c88d246 8275->8279 8278->8275 8280 6c88b54c __FrameHandler3::FrameUnwindToState LeaveCriticalSection 8279->8280 8281 6c88ab31 8280->8281 8281->8231 8281->8242 8282->8252 8284 6c88affc _unexpected 37 API calls 8283->8284 8285 6c88d306 8284->8285 8285->8264 8287 6c88d46c 8286->8287 8288 6c88d4a3 8286->8288 8287->8262 8287->8266 8287->8268 8291 6c88b54c LeaveCriticalSection 8288->8291 8290->8257 8291->8287 8293 6c889f29 8292->8293 8302 6c889f3a 8292->8302 8303 6c889fc1 GetModuleHandleW 8293->8303 8298 6c889f74 8310 6c889de1 8302->8310 8304 6c889f2e 8303->8304 8304->8302 8305 6c88a004 GetModuleHandleExW 8304->8305 8306 6c88a023 GetProcAddress 8305->8306 8307 6c88a038 8305->8307 8306->8307 8308 6c88a04c FreeLibrary 8307->8308 8309 6c88a055 8307->8309 8308->8309 8309->8302 8311 6c889ded CallCatchBlock 8310->8311 8312 6c88b504 __FrameHandler3::FrameUnwindToState EnterCriticalSection 8311->8312 8313 6c889df7 8312->8313 8314 6c889e2e __FrameHandler3::FrameUnwindToState 14 API calls 8313->8314 8315 6c889e04 8314->8315 8316 6c889e22 __FrameHandler3::FrameUnwindToState LeaveCriticalSection 8315->8316 8317 6c889e10 8316->8317 8317->8298 8318 6c889f7f 8317->8318 8319 6c88b5b1 __FrameHandler3::FrameUnwindToState 6 API calls 8318->8319 8320 6c889f89 8319->8320 8321 6c889fae 8320->8321 8322 6c889f8e GetPEB 8320->8322 8324 6c88a004 __FrameHandler3::FrameUnwindToState GetModuleHandleExW GetProcAddress FreeLibrary 8321->8324 8322->8321 8323 6c889f9e GetCurrentProcess TerminateProcess 8322->8323 8323->8321 8325 6c889fb6 ExitProcess 8324->8325 8327 6c88dd85 CallCatchBlock 8326->8327 8328 6c88affc _unexpected 37 API calls 8327->8328 8329 6c88dd8e 8328->8329 8336 6c88ddd4 8329->8336 8339 6c88b504 EnterCriticalSection 8329->8339 8331 6c88ddac 8340 6c88ddfa 8331->8340 8336->8222 8337 6c88ab2c __FrameHandler3::FrameUnwindToState 37 API calls 8338 6c88ddf9 8337->8338 8339->8331 8341 6c88de08 __fassign 8340->8341 8343 6c88ddbd 8340->8343 8342 6c88db2d __fassign 14 API calls 8341->8342 8341->8343 8342->8343 8344 6c88ddd9 8343->8344 8347 6c88b54c LeaveCriticalSection 8344->8347 8346 6c88ddd0 8346->8336 8346->8337 8347->8346 8349 6c88affc _unexpected 37 API calls 8348->8349 8350 6c88c5be 8349->8350 8353 6c88c4cc 8350->8353 8354 6c88c4d8 CallCatchBlock 8353->8354 8356 6c88c4f2 8354->8356 8364 6c88b504 EnterCriticalSection 8354->8364 8357 6c88c4f9 8356->8357 8360 6c88ab2c __FrameHandler3::FrameUnwindToState 37 API calls 8356->8360 8357->8226 8358 6c88c52e 8365 6c88c54b 8358->8365 8361 6c88c56b 8360->8361 8362 6c88c502 8362->8358 8363 6c88b63f _free 14 API calls 8362->8363 8363->8358 8364->8362 8368 6c88b54c LeaveCriticalSection 8365->8368 8367 6c88c552 8367->8356 8368->8367 8370 6c8899f2 __fassign 37 API calls 8369->8370 8372 6c88b28f 8370->8372 8371 6c88b29f 8374 6c885e21 __ehhandler$___std_fs_get_file_id@8 5 API calls 8371->8374 8372->8371 8381 6c88de4a 8372->8381 8375 6c88b33b 8374->8375 8375->8192 8377 6c88affc _unexpected 37 API calls 8376->8377 8378 6c88b259 8377->8378 8379 6c88b3c9 __fassign 37 API calls 8378->8379 8380 6c88b269 8379->8380 8380->8192 8382 6c8899f2 __fassign 37 API calls 8381->8382 8383 6c88de6a 8382->8383 8396 6c88c8c3 8383->8396 8385 6c88de97 8391 6c88df28 8385->8391 8392 6c88debd ___scrt_fastfail 8385->8392 8399 6c88b563 8385->8399 8386 6c885e21 __ehhandler$___std_fs_get_file_id@8 5 API calls 8389 6c88df4b 8386->8389 8387 6c88df22 8406 6c88df4d 8387->8406 8389->8371 8391->8386 8392->8387 8393 6c88c8c3 __fassign MultiByteToWideChar 8392->8393 8394 6c88df0b 8393->8394 8394->8387 8395 6c88df12 GetStringTypeW 8394->8395 8395->8387 8397 6c88c8d4 MultiByteToWideChar 8396->8397 8397->8385 8400 6c88b5a1 8399->8400 8404 6c88b571 _free 8399->8404 8401 6c88b3b6 _free 14 API calls 8400->8401 8403 6c88b59f 8401->8403 8402 6c88b58c RtlAllocateHeap 8402->8403 8402->8404 8403->8392 8404->8400 8404->8402 8405 6c889bd5 _free 2 API calls 8404->8405 8405->8404 8407 6c88df59 8406->8407 8408 6c88df6a 8406->8408 8407->8408 8409 6c88b63f _free 14 API calls 8407->8409 8408->8391 8409->8408 8411 6c885899 8410->8411 8412 6c885793 8410->8412 8413 6c885b70 26 API calls 8411->8413 8415 6c8857ff 8412->8415 8416 6c8857d5 8412->8416 8414 6c88589e 8413->8414 8417 6c881260 Concurrency::cancel_current_task 26 API calls 8414->8417 8420 6c885e63 26 API calls 8415->8420 8423 6c8857e6 ___scrt_uninitialize_crt 8415->8423 8416->8414 8418 6c8857e0 8416->8418 8417->8423 8419 6c885e63 26 API calls 8418->8419 8419->8423 8420->8423 8421 6c889730 25 API calls 8422 6c8858a8 8421->8422 8423->8421 8424 6c88585b ___scrt_uninitialize_crt 8423->8424 8424->8124 8428 6c88543e __InternalCxxFrameHandler 8425->8428 8430 6c885464 8425->8430 8426 6c88554e 8427 6c885b70 26 API calls 8426->8427 8429 6c885553 8427->8429 8428->7868 8433 6c881260 Concurrency::cancel_current_task 26 API calls 8429->8433 8430->8426 8431 6c8854b8 8430->8431 8432 6c8854dd 8430->8432 8431->8429 8435 6c885e63 26 API calls 8431->8435 8436 6c885e63 26 API calls 8432->8436 8437 6c8854c9 ___scrt_uninitialize_crt 8432->8437 8434 6c885558 8433->8434 8435->8437 8436->8437 8438 6c889730 25 API calls 8437->8438 8439 6c885530 8437->8439 8438->8426 8439->7868 8441 6c88184a 8440->8441 8442 6c881352 8440->8442 8443 6c885420 26 API calls 8441->8443 8442->8441 8444 6c881366 8442->8444 8457 6c8816e6 8443->8457 8445 6c885420 26 API calls 8444->8445 8446 6c8813b2 InternetOpenW InternetConnectA HttpOpenRequestA HttpSendRequestA InternetReadFile 8445->8446 8448 6c881681 InternetCloseHandle InternetCloseHandle InternetCloseHandle 8446->8448 8459 6c881475 __InternalCxxFrameHandler 8446->8459 8447 6c881905 8451 6c889730 25 API calls 8447->8451 8448->8457 8449 6c881845 8450 6c885e21 __ehhandler$___std_fs_get_file_id@8 5 API calls 8449->8450 8452 6c881901 8450->8452 8453 6c88190a 8451->8453 8452->7875 8477 6c8862ce 8453->8477 8454 6c88167b 8454->8448 8457->8447 8457->8449 8458 6c885420 26 API calls 8458->8459 8459->8447 8459->8453 8459->8454 8459->8458 8461 6c88164b InternetReadFile 8459->8461 8462 6c885a10 8459->8462 8461->8454 8461->8459 8463 6c885b5e 8462->8463 8465 6c885a3b 8462->8465 8464 6c885b70 26 API calls 8463->8464 8466 6c885b63 8464->8466 8468 6c885aac 8465->8468 8469 6c885a82 8465->8469 8467 6c881260 Concurrency::cancel_current_task 26 API calls 8466->8467 8475 6c885a93 ___scrt_uninitialize_crt 8467->8475 8471 6c885e63 26 API calls 8468->8471 8468->8475 8469->8466 8470 6c885a8d 8469->8470 8473 6c885e63 26 API calls 8470->8473 8471->8475 8472 6c889730 25 API calls 8474 6c885b6d 8472->8474 8473->8475 8475->8472 8476 6c885b1c ___scrt_uninitialize_crt 8475->8476 8476->8459 8480 6c8862da IsProcessorFeaturePresent 8477->8480 8481 6c8862ee 8480->8481 8484 6c8861ad SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 8481->8484 8483 6c88190f 8484->8483 9110 6c88b49c 9113 6c88b423 9110->9113 9114 6c88b42f CallCatchBlock 9113->9114 9121 6c88b504 EnterCriticalSection 9114->9121 9116 6c88b439 9117 6c88b467 9116->9117 9119 6c88ddfa __fassign 14 API calls 9116->9119 9122 6c88b485 9117->9122 9119->9116 9121->9116 9125 6c88b54c LeaveCriticalSection 9122->9125 9124 6c88b473 9125->9124 9126 6c88a092 9127 6c88a0a9 9126->9127 9128 6c88a0a2 9126->9128 9129 6c88a0ca 9127->9129 9131 6c88a0b4 9127->9131 9150 6c88c56c 9129->9150 9133 6c88b3b6 _free 14 API calls 9131->9133 9135 6c88a0b9 9133->9135 9137 6c889720 ___std_exception_copy 25 API calls 9135->9137 9137->9128 9142 6c88a13a 9145 6c88a1c8 37 API calls 9142->9145 9143 6c88a12e 9144 6c88b3b6 _free 14 API calls 9143->9144 9149 6c88a133 9144->9149 9147 6c88a152 9145->9147 9146 6c88b63f _free 14 API calls 9146->9128 9148 6c88b63f _free 14 API calls 9147->9148 9147->9149 9148->9149 9149->9146 9151 6c88a0d0 9150->9151 9152 6c88c575 9150->9152 9156 6c88bfad GetModuleFileNameW 9151->9156 9178 6c88b0b9 9152->9178 9157 6c88bfdc GetLastError 9156->9157 9158 6c88bfed 9156->9158 9336 6c88b380 9157->9336 9341 6c88bd26 9158->9341 9162 6c88bfe8 9164 6c885e21 __ehhandler$___std_fs_get_file_id@8 5 API calls 9162->9164 9165 6c88a0e3 9164->9165 9166 6c88a1c8 9165->9166 9167 6c88a1ed 9166->9167 9170 6c88a24d 9167->9170 9380 6c88c892 9167->9380 9169 6c88a118 9172 6c88a33f 9169->9172 9170->9169 9171 6c88c892 37 API calls 9170->9171 9171->9170 9173 6c88a125 9172->9173 9174 6c88a350 9172->9174 9173->9142 9173->9143 9174->9173 9175 6c88b5e2 _free 14 API calls 9174->9175 9176 6c88a379 9175->9176 9177 6c88b63f _free 14 API calls 9176->9177 9177->9173 9179 6c88b0ca 9178->9179 9180 6c88b0c4 9178->9180 9182 6c88cdc8 _free 6 API calls 9179->9182 9187 6c88b0d0 9179->9187 9181 6c88cd89 _free 6 API calls 9180->9181 9181->9179 9183 6c88b0e4 9182->9183 9184 6c88b5e2 _free 14 API calls 9183->9184 9183->9187 9188 6c88b0f4 9184->9188 9185 6c88ab2c __FrameHandler3::FrameUnwindToState 37 API calls 9186 6c88b152 9185->9186 9187->9185 9191 6c88b149 9187->9191 9189 6c88b0fc 9188->9189 9190 6c88b111 9188->9190 9193 6c88cdc8 _free 6 API calls 9189->9193 9192 6c88cdc8 _free 6 API calls 9190->9192 9203 6c88c3b3 9191->9203 9194 6c88b11d 9192->9194 9195 6c88b108 9193->9195 9196 6c88b130 9194->9196 9197 6c88b121 9194->9197 9200 6c88b63f _free 14 API calls 9195->9200 9199 6c88adfe _free 14 API calls 9196->9199 9198 6c88cdc8 _free 6 API calls 9197->9198 9198->9195 9201 6c88b13b 9199->9201 9200->9187 9202 6c88b63f _free 14 API calls 9201->9202 9202->9187 9204 6c88c4cc __fassign 37 API calls 9203->9204 9205 6c88c3c6 9204->9205 9222 6c88c15c 9205->9222 9208 6c88c3df 9208->9151 9209 6c88b563 15 API calls 9210 6c88c3f0 9209->9210 9221 6c88c422 9210->9221 9229 6c88c5c7 9210->9229 9213 6c88b63f _free 14 API calls 9215 6c88c430 9213->9215 9214 6c88c41d 9216 6c88b3b6 _free 14 API calls 9214->9216 9215->9151 9216->9221 9217 6c88c438 9218 6c88c464 9217->9218 9219 6c88b63f _free 14 API calls 9217->9219 9218->9221 9240 6c88c04e 9218->9240 9219->9218 9221->9213 9223 6c8899f2 __fassign 37 API calls 9222->9223 9224 6c88c16e 9223->9224 9225 6c88c17d GetOEMCP 9224->9225 9226 6c88c18f 9224->9226 9228 6c88c1a6 9225->9228 9227 6c88c194 GetACP 9226->9227 9226->9228 9227->9228 9228->9208 9228->9209 9230 6c88c15c 39 API calls 9229->9230 9231 6c88c5e7 9230->9231 9233 6c88c621 IsValidCodePage 9231->9233 9237 6c88c65d ___scrt_fastfail 9231->9237 9232 6c885e21 __ehhandler$___std_fs_get_file_id@8 5 API calls 9234 6c88c415 9232->9234 9235 6c88c633 9233->9235 9233->9237 9234->9214 9234->9217 9236 6c88c662 GetCPInfo 9235->9236 9239 6c88c63c ___scrt_fastfail 9235->9239 9236->9237 9236->9239 9237->9232 9248 6c88c232 9239->9248 9241 6c88c05a CallCatchBlock 9240->9241 9310 6c88b504 EnterCriticalSection 9241->9310 9243 6c88c064 9311 6c88c09b 9243->9311 9249 6c88c25a GetCPInfo 9248->9249 9258 6c88c323 9248->9258 9255 6c88c272 9249->9255 9249->9258 9250 6c885e21 __ehhandler$___std_fs_get_file_id@8 5 API calls 9251 6c88c3b1 9250->9251 9251->9237 9252 6c88de4a 40 API calls 9253 6c88c2da 9252->9253 9259 6c88ea1e 9253->9259 9255->9252 9257 6c88ea1e 41 API calls 9257->9258 9258->9250 9260 6c8899f2 __fassign 37 API calls 9259->9260 9261 6c88ea31 9260->9261 9264 6c88e834 9261->9264 9265 6c88e84f 9264->9265 9266 6c88c8c3 __fassign MultiByteToWideChar 9265->9266 9269 6c88e893 9266->9269 9267 6c88e9f8 9268 6c885e21 __ehhandler$___std_fs_get_file_id@8 5 API calls 9267->9268 9270 6c88c2fb 9268->9270 9269->9267 9272 6c88b563 15 API calls 9269->9272 9276 6c88e8b8 9269->9276 9270->9257 9271 6c88e95d 9275 6c88df4d __freea 14 API calls 9271->9275 9272->9276 9273 6c88c8c3 __fassign MultiByteToWideChar 9274 6c88e8fe 9273->9274 9274->9271 9292 6c88ce55 9274->9292 9275->9267 9276->9271 9276->9273 9279 6c88e96c 9281 6c88b563 15 API calls 9279->9281 9285 6c88e97e 9279->9285 9280 6c88e934 9280->9271 9282 6c88ce55 6 API calls 9280->9282 9281->9285 9282->9271 9283 6c88e9e9 9284 6c88df4d __freea 14 API calls 9283->9284 9284->9271 9285->9283 9286 6c88ce55 6 API calls 9285->9286 9287 6c88e9c6 9286->9287 9287->9283 9298 6c88c93f 9287->9298 9289 6c88e9e0 9289->9283 9290 6c88ea15 9289->9290 9291 6c88df4d __freea 14 API calls 9290->9291 9291->9271 9301 6c88cb2e 9292->9301 9296 6c88cea6 LCMapStringW 9297 6c88ce66 9296->9297 9297->9271 9297->9279 9297->9280 9299 6c88c958 WideCharToMultiByte 9298->9299 9299->9289 9302 6c88cc29 _free 5 API calls 9301->9302 9303 6c88cb44 9302->9303 9303->9297 9304 6c88ceb2 9303->9304 9307 6c88cb48 9304->9307 9306 6c88cebd 9306->9296 9308 6c88cc29 _free 5 API calls 9307->9308 9309 6c88cb5e 9308->9309 9309->9306 9310->9243 9321 6c88c7ba 9311->9321 9313 6c88c0bd 9314 6c88c7ba 25 API calls 9313->9314 9315 6c88c0dc 9314->9315 9316 6c88c071 9315->9316 9317 6c88b63f _free 14 API calls 9315->9317 9318 6c88c08f 9316->9318 9317->9316 9335 6c88b54c LeaveCriticalSection 9318->9335 9320 6c88c07d 9320->9221 9322 6c88c7cb 9321->9322 9331 6c88c7c7 ___scrt_uninitialize_crt 9321->9331 9323 6c88c7d2 9322->9323 9327 6c88c7e5 ___scrt_fastfail 9322->9327 9324 6c88b3b6 _free 14 API calls 9323->9324 9325 6c88c7d7 9324->9325 9326 6c889720 ___std_exception_copy 25 API calls 9325->9326 9326->9331 9328 6c88c81c 9327->9328 9329 6c88c813 9327->9329 9327->9331 9328->9331 9333 6c88b3b6 _free 14 API calls 9328->9333 9330 6c88b3b6 _free 14 API calls 9329->9330 9332 6c88c818 9330->9332 9331->9313 9334 6c889720 ___std_exception_copy 25 API calls 9332->9334 9333->9332 9334->9331 9335->9320 9367 6c88b3a3 9336->9367 9338 6c88b38b _free 9339 6c88b3b6 _free 14 API calls 9338->9339 9340 6c88b39e 9339->9340 9340->9162 9342 6c8899f2 __fassign 37 API calls 9341->9342 9343 6c88bd38 9342->9343 9344 6c88bd4a 9343->9344 9370 6c88ccec 9343->9370 9346 6c88beab 9344->9346 9347 6c88bec7 9346->9347 9363 6c88beb8 9346->9363 9348 6c88becf 9347->9348 9349 6c88bef4 9347->9349 9348->9363 9376 6c88bf72 9348->9376 9350 6c88c93f ___scrt_uninitialize_crt WideCharToMultiByte 9349->9350 9352 6c88bf04 9350->9352 9353 6c88bf0b GetLastError 9352->9353 9354 6c88bf21 9352->9354 9355 6c88b380 __dosmaperr 14 API calls 9353->9355 9356 6c88bf32 9354->9356 9359 6c88bf72 14 API calls 9354->9359 9358 6c88bf17 9355->9358 9357 6c88c93f ___scrt_uninitialize_crt WideCharToMultiByte 9356->9357 9356->9363 9360 6c88bf4a 9357->9360 9361 6c88b3b6 _free 14 API calls 9358->9361 9359->9356 9362 6c88bf51 GetLastError 9360->9362 9360->9363 9361->9363 9364 6c88b380 __dosmaperr 14 API calls 9362->9364 9363->9162 9365 6c88bf5d 9364->9365 9366 6c88b3b6 _free 14 API calls 9365->9366 9366->9363 9368 6c88b153 _free 14 API calls 9367->9368 9369 6c88b3a8 9368->9369 9369->9338 9373 6c88cb14 9370->9373 9374 6c88cc29 _free 5 API calls 9373->9374 9375 6c88cb2a 9374->9375 9375->9344 9377 6c88bf7d 9376->9377 9378 6c88b3b6 _free 14 API calls 9377->9378 9379 6c88bf86 9378->9379 9379->9363 9383 6c88c83b 9380->9383 9384 6c8899f2 __fassign 37 API calls 9383->9384 9385 6c88c84f 9384->9385 9385->9167 9397 6c88d8b9 9398 6c88d7e8 ___scrt_uninitialize_crt 66 API calls 9397->9398 9399 6c88d8c1 9398->9399 9407 6c88f989 9399->9407 9401 6c88d8c6 9417 6c88fa34 9401->9417 9404 6c88d8f0 9405 6c88b63f _free 14 API calls 9404->9405 9406 6c88d8fb 9405->9406 9408 6c88f995 CallCatchBlock 9407->9408 9421 6c88b504 EnterCriticalSection 9408->9421 9410 6c88fa0c 9435 6c88fa2b 9410->9435 9412 6c88f9a0 9412->9410 9414 6c88f9e0 DeleteCriticalSection 9412->9414 9422 6c88fe3b 9412->9422 9416 6c88b63f _free 14 API calls 9414->9416 9416->9412 9418 6c88d8d5 DeleteCriticalSection 9417->9418 9419 6c88fa4b 9417->9419 9418->9401 9418->9404 9419->9418 9420 6c88b63f _free 14 API calls 9419->9420 9420->9418 9421->9412 9423 6c88fe47 CallCatchBlock 9422->9423 9424 6c88fe51 9423->9424 9425 6c88fe66 9423->9425 9426 6c88b3b6 _free 14 API calls 9424->9426 9427 6c88fe61 9425->9427 9438 6c88d905 EnterCriticalSection 9425->9438 9428 6c88fe56 9426->9428 9427->9412 9430 6c889720 ___std_exception_copy 25 API calls 9428->9430 9430->9427 9431 6c88fe83 9439 6c88fdc4 9431->9439 9433 6c88fe8e 9455 6c88feb5 9433->9455 9527 6c88b54c LeaveCriticalSection 9435->9527 9437 6c88fa18 9437->9401 9438->9431 9440 6c88fdd1 9439->9440 9441 6c88fde6 9439->9441 9442 6c88b3b6 _free 14 API calls 9440->9442 9443 6c88d73b ___scrt_uninitialize_crt 62 API calls 9441->9443 9453 6c88fde1 9441->9453 9444 6c88fdd6 9442->9444 9445 6c88fdfb 9443->9445 9446 6c889720 ___std_exception_copy 25 API calls 9444->9446 9447 6c88fa34 14 API calls 9445->9447 9446->9453 9448 6c88fe03 9447->9448 9449 6c88da89 ___scrt_uninitialize_crt 25 API calls 9448->9449 9450 6c88fe09 9449->9450 9458 6c890437 9450->9458 9453->9433 9454 6c88b63f _free 14 API calls 9454->9453 9526 6c88d919 LeaveCriticalSection 9455->9526 9457 6c88febd 9457->9427 9459 6c890448 9458->9459 9460 6c89045d 9458->9460 9461 6c88b3a3 __dosmaperr 14 API calls 9459->9461 9462 6c8904a6 9460->9462 9467 6c890484 9460->9467 9464 6c89044d 9461->9464 9463 6c88b3a3 __dosmaperr 14 API calls 9462->9463 9465 6c8904ab 9463->9465 9466 6c88b3b6 _free 14 API calls 9464->9466 9468 6c88b3b6 _free 14 API calls 9465->9468 9470 6c88fe0f 9466->9470 9473 6c8903ab 9467->9473 9471 6c8904b3 9468->9471 9470->9453 9470->9454 9472 6c889720 ___std_exception_copy 25 API calls 9471->9472 9472->9470 9474 6c8903b7 CallCatchBlock 9473->9474 9484 6c88ecdc EnterCriticalSection 9474->9484 9476 6c8903c5 9477 6c8903ec 9476->9477 9478 6c8903f7 9476->9478 9485 6c8904c4 9477->9485 9479 6c88b3b6 _free 14 API calls 9478->9479 9481 6c8903f2 9479->9481 9500 6c89042b 9481->9500 9484->9476 9503 6c88edb3 9485->9503 9487 6c8904da 9516 6c88ed22 9487->9516 9489 6c8904d4 9489->9487 9492 6c88edb3 ___scrt_uninitialize_crt 25 API calls 9489->9492 9499 6c89050c 9489->9499 9490 6c88edb3 ___scrt_uninitialize_crt 25 API calls 9493 6c890518 CloseHandle 9490->9493 9494 6c890503 9492->9494 9493->9487 9495 6c890524 GetLastError 9493->9495 9498 6c88edb3 ___scrt_uninitialize_crt 25 API calls 9494->9498 9495->9487 9496 6c88b380 __dosmaperr 14 API calls 9497 6c890554 9496->9497 9497->9481 9498->9499 9499->9487 9499->9490 9525 6c88ecff LeaveCriticalSection 9500->9525 9502 6c890414 9502->9470 9504 6c88edc0 9503->9504 9505 6c88edd5 9503->9505 9506 6c88b3a3 __dosmaperr 14 API calls 9504->9506 9507 6c88b3a3 __dosmaperr 14 API calls 9505->9507 9509 6c88edfa 9505->9509 9508 6c88edc5 9506->9508 9510 6c88ee05 9507->9510 9511 6c88b3b6 _free 14 API calls 9508->9511 9509->9489 9512 6c88b3b6 _free 14 API calls 9510->9512 9513 6c88edcd 9511->9513 9514 6c88ee0d 9512->9514 9513->9489 9515 6c889720 ___std_exception_copy 25 API calls 9514->9515 9515->9513 9517 6c88ed98 9516->9517 9518 6c88ed31 9516->9518 9519 6c88b3b6 _free 14 API calls 9517->9519 9518->9517 9524 6c88ed5b 9518->9524 9520 6c88ed9d 9519->9520 9521 6c88b3a3 __dosmaperr 14 API calls 9520->9521 9522 6c88ed88 9521->9522 9522->9496 9522->9497 9523 6c88ed82 SetStdHandle 9523->9522 9524->9522 9524->9523 9525->9502 9526->9457 9527->9437 7747 6c8865bb 7750 6c8865c7 CallCatchBlock 7747->7750 7748 6c8865d6 7749 6c8865f0 dllmain_raw 7749->7748 7751 6c88660a dllmain_crt_dispatch 7749->7751 7750->7748 7750->7749 7753 6c8865eb 7750->7753 7751->7748 7751->7753 7752 6c886657 7752->7748 7754 6c886660 dllmain_crt_dispatch 7752->7754 7753->7752 7756 6c886643 dllmain_crt_dispatch dllmain_raw 7753->7756 7754->7748 7755 6c886673 dllmain_raw 7754->7755 7755->7748 7756->7752 8485 6c8863b1 8486 6c8863bc 8485->8486 8487 6c8863ef 8485->8487 8489 6c8863e1 8486->8489 8490 6c8863c1 8486->8490 8524 6c88650b 8487->8524 8497 6c886404 8489->8497 8491 6c8863c6 8490->8491 8492 6c8863d7 8490->8492 8496 6c8863cb 8491->8496 8511 6c885f61 8491->8511 8516 6c885f42 8492->8516 8498 6c886410 CallCatchBlock 8497->8498 8546 6c885fd2 8498->8546 8500 6c886417 8501 6c88643e 8500->8501 8502 6c886503 8500->8502 8508 6c88647a ___scrt_is_nonwritable_in_current_image __FrameHandler3::FrameUnwindToState 8500->8508 8557 6c885f34 8501->8557 8565 6c886911 IsProcessorFeaturePresent 8502->8565 8505 6c88650a 8506 6c88644d __RTC_Initialize 8506->8508 8560 6c886b34 InitializeSListHead 8506->8560 8508->8496 8509 6c88645b 8509->8508 8561 6c885f09 8509->8561 8711 6c88aa18 8511->8711 8800 6c88722e 8516->8800 8518 6c885f4b 8518->8496 8522 6c885f5e 8522->8496 8523 6c887239 21 API calls 8523->8518 8526 6c886517 CallCatchBlock 8524->8526 8525 6c886520 8525->8496 8526->8525 8527 6c886548 8526->8527 8528 6c8865b3 8526->8528 8820 6c885fa2 8527->8820 8529 6c886911 ___scrt_fastfail 4 API calls 8528->8529 8533 6c8865ba CallCatchBlock 8529->8533 8531 6c88654d 8829 6c886b40 8531->8829 8534 6c8865f0 dllmain_raw 8533->8534 8542 6c8865eb 8533->8542 8545 6c8865d6 8533->8545 8536 6c88660a dllmain_crt_dispatch 8534->8536 8534->8545 8535 6c886552 __RTC_Initialize 8832 6c886143 8535->8832 8536->8542 8536->8545 8540 6c886657 8541 6c886660 dllmain_crt_dispatch 8540->8541 8540->8545 8543 6c886673 dllmain_raw 8541->8543 8541->8545 8542->8540 8544 6c886643 dllmain_crt_dispatch dllmain_raw 8542->8544 8543->8545 8544->8540 8545->8496 8547 6c885fdb 8546->8547 8569 6c886731 IsProcessorFeaturePresent 8547->8569 8551 6c885fec 8552 6c885ff0 8551->8552 8579 6c88a9fb 8551->8579 8552->8500 8555 6c886007 8555->8500 8705 6c88600b 8557->8705 8559 6c885f3b 8559->8506 8560->8509 8562 6c885f0e ___scrt_release_startup_lock 8561->8562 8563 6c886731 IsProcessorFeaturePresent 8562->8563 8564 6c885f17 8562->8564 8563->8564 8564->8508 8566 6c886926 ___scrt_fastfail 8565->8566 8567 6c8869d1 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 8566->8567 8568 6c886a1c ___scrt_fastfail 8567->8568 8568->8505 8570 6c885fe7 8569->8570 8571 6c88720f 8570->8571 8588 6c8884e9 8571->8588 8575 6c887220 8576 6c88722b 8575->8576 8602 6c888525 8575->8602 8576->8551 8578 6c887218 8578->8551 8643 6c88d155 8579->8643 8582 6c887244 8583 6c88724d 8582->8583 8584 6c887257 8582->8584 8585 6c8876ee ___vcrt_uninitialize_ptd 6 API calls 8583->8585 8584->8552 8586 6c887252 8585->8586 8587 6c888525 ___vcrt_uninitialize_locks DeleteCriticalSection 8586->8587 8587->8584 8589 6c8884f2 8588->8589 8591 6c88851b 8589->8591 8592 6c887214 8589->8592 8606 6c8888ab 8589->8606 8593 6c888525 ___vcrt_uninitialize_locks DeleteCriticalSection 8591->8593 8592->8578 8594 6c8876bb 8592->8594 8593->8592 8624 6c8887bc 8594->8624 8596 6c8876d0 8596->8575 8600 6c8876eb 8600->8575 8603 6c888530 8602->8603 8605 6c88854f 8602->8605 8604 6c88853a DeleteCriticalSection 8603->8604 8604->8604 8604->8605 8605->8578 8611 6c888773 8606->8611 8609 6c8888e3 InitializeCriticalSectionAndSpinCount 8610 6c8888ce 8609->8610 8610->8589 8612 6c88878b 8611->8612 8613 6c8887ae 8611->8613 8612->8613 8617 6c8886c7 8612->8617 8613->8609 8613->8610 8616 6c8887a0 GetProcAddress 8616->8613 8621 6c8886d6 ___vcrt_FlsFree 8617->8621 8618 6c8886ef LoadLibraryExW 8620 6c88870a GetLastError 8618->8620 8618->8621 8619 6c888768 8619->8613 8619->8616 8620->8621 8621->8618 8621->8619 8622 6c888751 FreeLibrary 8621->8622 8623 6c888729 LoadLibraryExW 8621->8623 8622->8621 8623->8621 8625 6c888773 ___vcrt_FlsFree 5 API calls 8624->8625 8626 6c8887d6 8625->8626 8627 6c8887ef TlsAlloc 8626->8627 8628 6c8876c5 8626->8628 8628->8596 8629 6c88886d 8628->8629 8630 6c888773 ___vcrt_FlsFree 5 API calls 8629->8630 8631 6c888887 8630->8631 8632 6c8888a2 TlsSetValue 8631->8632 8633 6c8876de 8631->8633 8632->8633 8633->8600 8634 6c8876ee 8633->8634 8635 6c8876f8 8634->8635 8637 6c8876fe 8634->8637 8638 6c8887f7 8635->8638 8637->8596 8639 6c888773 ___vcrt_FlsFree 5 API calls 8638->8639 8640 6c888811 8639->8640 8641 6c888829 TlsFree 8640->8641 8642 6c88881d 8640->8642 8641->8642 8642->8637 8644 6c88d165 8643->8644 8645 6c885ff9 8643->8645 8644->8645 8647 6c88d0c9 8644->8647 8645->8555 8645->8582 8648 6c88d0d5 CallCatchBlock 8647->8648 8659 6c88b504 EnterCriticalSection 8648->8659 8650 6c88d0dc 8660 6c88ec3e 8650->8660 8653 6c88d0fa 8684 6c88d120 8653->8684 8659->8650 8661 6c88ec4a CallCatchBlock 8660->8661 8662 6c88ec53 8661->8662 8663 6c88ec74 8661->8663 8664 6c88b3b6 _free 14 API calls 8662->8664 8687 6c88b504 EnterCriticalSection 8663->8687 8666 6c88ec58 8664->8666 8668 6c889720 ___std_exception_copy 25 API calls 8666->8668 8667 6c88ec80 8672 6c88ecac 8667->8672 8688 6c88eb8e 8667->8688 8671 6c88d0eb 8668->8671 8671->8653 8673 6c88cf5f GetStartupInfoW 8671->8673 8695 6c88ecd3 8672->8695 8674 6c88cf7c 8673->8674 8675 6c88d010 8673->8675 8674->8675 8676 6c88ec3e 26 API calls 8674->8676 8679 6c88d015 8675->8679 8677 6c88cfa4 8676->8677 8677->8675 8678 6c88cfd4 GetFileType 8677->8678 8678->8677 8683 6c88d01c 8679->8683 8680 6c88d05f GetStdHandle 8680->8683 8681 6c88d0c5 8681->8653 8682 6c88d072 GetFileType 8682->8683 8683->8680 8683->8681 8683->8682 8704 6c88b54c LeaveCriticalSection 8684->8704 8686 6c88d10b 8686->8644 8687->8667 8689 6c88b5e2 _free 14 API calls 8688->8689 8690 6c88eba0 8689->8690 8694 6c88ebad 8690->8694 8698 6c88ce0a 8690->8698 8691 6c88b63f _free 14 API calls 8693 6c88ec02 8691->8693 8693->8667 8694->8691 8703 6c88b54c LeaveCriticalSection 8695->8703 8697 6c88ecda 8697->8671 8699 6c88cc29 _free 5 API calls 8698->8699 8700 6c88ce26 8699->8700 8701 6c88ce2f 8700->8701 8702 6c88ce44 InitializeCriticalSectionAndSpinCount 8700->8702 8701->8690 8702->8701 8703->8697 8704->8686 8706 6c88601b 8705->8706 8707 6c886017 8705->8707 8708 6c886911 ___scrt_fastfail 4 API calls 8706->8708 8710 6c886028 ___scrt_release_startup_lock 8706->8710 8707->8559 8709 6c886091 8708->8709 8710->8559 8717 6c88afd0 8711->8717 8714 6c887239 8783 6c8875e5 8714->8783 8718 6c88afda 8717->8718 8719 6c885f66 8717->8719 8720 6c88cd89 _free 6 API calls 8718->8720 8719->8714 8721 6c88afe1 8720->8721 8721->8719 8722 6c88cdc8 _free 6 API calls 8721->8722 8723 6c88aff4 8722->8723 8725 6c88ae97 8723->8725 8726 6c88aea2 8725->8726 8727 6c88aeb2 8725->8727 8731 6c88aeb8 8726->8731 8727->8719 8730 6c88b63f _free 14 API calls 8730->8727 8732 6c88aecd 8731->8732 8733 6c88aed3 8731->8733 8734 6c88b63f _free 14 API calls 8732->8734 8735 6c88b63f _free 14 API calls 8733->8735 8734->8733 8736 6c88aedf 8735->8736 8737 6c88b63f _free 14 API calls 8736->8737 8738 6c88aeea 8737->8738 8739 6c88b63f _free 14 API calls 8738->8739 8740 6c88aef5 8739->8740 8741 6c88b63f _free 14 API calls 8740->8741 8742 6c88af00 8741->8742 8743 6c88b63f _free 14 API calls 8742->8743 8744 6c88af0b 8743->8744 8745 6c88b63f _free 14 API calls 8744->8745 8746 6c88af16 8745->8746 8747 6c88b63f _free 14 API calls 8746->8747 8748 6c88af21 8747->8748 8749 6c88b63f _free 14 API calls 8748->8749 8750 6c88af2c 8749->8750 8751 6c88b63f _free 14 API calls 8750->8751 8752 6c88af3a 8751->8752 8757 6c88ace4 8752->8757 8758 6c88acf0 CallCatchBlock 8757->8758 8773 6c88b504 EnterCriticalSection 8758->8773 8760 6c88ad24 8774 6c88ad43 8760->8774 8762 6c88acfa 8762->8760 8764 6c88b63f _free 14 API calls 8762->8764 8764->8760 8765 6c88ad4f 8766 6c88ad5b CallCatchBlock 8765->8766 8778 6c88b504 EnterCriticalSection 8766->8778 8768 6c88ad65 8769 6c88af85 _free 14 API calls 8768->8769 8770 6c88ad78 8769->8770 8779 6c88ad98 8770->8779 8773->8762 8777 6c88b54c LeaveCriticalSection 8774->8777 8776 6c88ad31 8776->8765 8777->8776 8778->8768 8782 6c88b54c LeaveCriticalSection 8779->8782 8781 6c88ad86 8781->8730 8782->8781 8784 6c885f6b 8783->8784 8785 6c8875f2 8783->8785 8784->8496 8786 6c887600 8785->8786 8791 6c888832 8785->8791 8788 6c88886d ___vcrt_FlsSetValue 6 API calls 8786->8788 8789 6c887610 8788->8789 8796 6c8875c9 8789->8796 8792 6c888773 ___vcrt_FlsFree 5 API calls 8791->8792 8793 6c88884c 8792->8793 8794 6c888864 TlsGetValue 8793->8794 8795 6c888858 8793->8795 8794->8795 8795->8786 8797 6c8875e0 8796->8797 8798 6c8875d3 8796->8798 8797->8784 8798->8797 8799 6c88aad5 ___vcrt_freefls@4 14 API calls 8798->8799 8799->8797 8806 6c887629 8800->8806 8802 6c885f47 8802->8518 8803 6c88aa0d 8802->8803 8804 6c88b153 _free 14 API calls 8803->8804 8805 6c885f53 8804->8805 8805->8522 8805->8523 8807 6c887632 8806->8807 8808 6c887635 GetLastError 8806->8808 8807->8802 8809 6c888832 ___vcrt_FlsGetValue 6 API calls 8808->8809 8810 6c88764a 8809->8810 8811 6c8876af SetLastError 8810->8811 8812 6c88886d ___vcrt_FlsSetValue 6 API calls 8810->8812 8819 6c887669 8810->8819 8811->8802 8813 6c887663 CallCatchBlock 8812->8813 8814 6c88768b 8813->8814 8815 6c88886d ___vcrt_FlsSetValue 6 API calls 8813->8815 8813->8819 8816 6c88886d ___vcrt_FlsSetValue 6 API calls 8814->8816 8817 6c88769f 8814->8817 8815->8814 8816->8817 8818 6c88aad5 ___vcrt_freefls@4 14 API calls 8817->8818 8818->8819 8819->8811 8821 6c885fa7 ___scrt_release_startup_lock 8820->8821 8822 6c885fab 8821->8822 8824 6c885fb7 8821->8824 8841 6c88a874 8822->8841 8826 6c885fc4 8824->8826 8827 6c889f1b __FrameHandler3::FrameUnwindToState 23 API calls 8824->8827 8826->8531 8828 6c88a071 8827->8828 8828->8531 8861 6c8875a6 InterlockedFlushSList 8829->8861 8833 6c88614f 8832->8833 8834 6c886165 8833->8834 8865 6c88aa20 8833->8865 8838 6c8865ad 8834->8838 8836 6c88615d 8837 6c887244 ___scrt_uninitialize_crt 7 API calls 8836->8837 8837->8834 8975 6c885fc5 8838->8975 8844 6c88a586 8841->8844 8845 6c88a592 CallCatchBlock 8844->8845 8852 6c88b504 EnterCriticalSection 8845->8852 8847 6c88a5a0 8853 6c88a784 8847->8853 8852->8847 8854 6c88a5ad 8853->8854 8855 6c88a7a3 8853->8855 8857 6c88a5d5 8854->8857 8855->8854 8856 6c88b63f _free 14 API calls 8855->8856 8856->8854 8860 6c88b54c LeaveCriticalSection 8857->8860 8859 6c885fb5 8859->8531 8860->8859 8863 6c8875b6 8861->8863 8864 6c886b4a 8861->8864 8862 6c88aad5 ___vcrt_freefls@4 14 API calls 8862->8863 8863->8862 8863->8864 8864->8535 8866 6c88aa2b 8865->8866 8867 6c88aa3d ___scrt_uninitialize_crt 8865->8867 8868 6c88aa39 8866->8868 8870 6c88d7e8 8866->8870 8867->8836 8868->8836 8873 6c88d696 8870->8873 8876 6c88d5ea 8873->8876 8877 6c88d5f6 CallCatchBlock 8876->8877 8884 6c88b504 EnterCriticalSection 8877->8884 8879 6c88d66c 8893 6c88d68a 8879->8893 8880 6c88d600 ___scrt_uninitialize_crt 8880->8879 8885 6c88d55e 8880->8885 8884->8880 8886 6c88d56a CallCatchBlock 8885->8886 8896 6c88d905 EnterCriticalSection 8886->8896 8888 6c88d574 ___scrt_uninitialize_crt 8889 6c88d5ad 8888->8889 8897 6c88d7a0 8888->8897 8907 6c88d5de 8889->8907 8974 6c88b54c LeaveCriticalSection 8893->8974 8895 6c88d678 8895->8868 8896->8888 8898 6c88d7ad 8897->8898 8899 6c88d7b6 8897->8899 8900 6c88d696 ___scrt_uninitialize_crt 66 API calls 8898->8900 8910 6c88d73b 8899->8910 8902 6c88d7b3 8900->8902 8902->8889 8905 6c88d7d2 8923 6c88eebf 8905->8923 8973 6c88d919 LeaveCriticalSection 8907->8973 8909 6c88d5cc 8909->8880 8911 6c88d778 8910->8911 8912 6c88d753 8910->8912 8911->8902 8916 6c88da89 8911->8916 8912->8911 8913 6c88da89 ___scrt_uninitialize_crt 25 API calls 8912->8913 8914 6c88d771 8913->8914 8934 6c88f6b5 8914->8934 8917 6c88daaa 8916->8917 8918 6c88da95 8916->8918 8917->8905 8919 6c88b3b6 _free 14 API calls 8918->8919 8920 6c88da9a 8919->8920 8921 6c889720 ___std_exception_copy 25 API calls 8920->8921 8922 6c88daa5 8921->8922 8922->8905 8924 6c88eedd 8923->8924 8925 6c88eed0 8923->8925 8926 6c88ef26 8924->8926 8929 6c88ef04 8924->8929 8927 6c88b3b6 _free 14 API calls 8925->8927 8928 6c88b3b6 _free 14 API calls 8926->8928 8933 6c88eed5 8927->8933 8930 6c88ef2b 8928->8930 8959 6c88ee1d 8929->8959 8932 6c889720 ___std_exception_copy 25 API calls 8930->8932 8932->8933 8933->8902 8935 6c88f6c1 CallCatchBlock 8934->8935 8936 6c88f6c9 8935->8936 8940 6c88f6e1 8935->8940 8937 6c88b3a3 __dosmaperr 14 API calls 8936->8937 8939 6c88f6ce 8937->8939 8938 6c88f77c 8941 6c88b3a3 __dosmaperr 14 API calls 8938->8941 8942 6c88b3b6 _free 14 API calls 8939->8942 8940->8938 8943 6c88f713 8940->8943 8944 6c88f781 8941->8944 8958 6c88f6d6 8942->8958 8945 6c88ecdc ___scrt_uninitialize_crt EnterCriticalSection 8943->8945 8946 6c88b3b6 _free 14 API calls 8944->8946 8947 6c88f719 8945->8947 8948 6c88f789 8946->8948 8949 6c88f74a 8947->8949 8950 6c88f735 8947->8950 8951 6c889720 ___std_exception_copy 25 API calls 8948->8951 8953 6c88f7a7 ___scrt_uninitialize_crt 60 API calls 8949->8953 8952 6c88b3b6 _free 14 API calls 8950->8952 8951->8958 8954 6c88f73a 8952->8954 8955 6c88f745 8953->8955 8956 6c88b3a3 __dosmaperr 14 API calls 8954->8956 8957 6c88f774 ___scrt_uninitialize_crt LeaveCriticalSection 8955->8957 8956->8955 8957->8958 8958->8911 8960 6c88ee29 CallCatchBlock 8959->8960 8961 6c88ecdc ___scrt_uninitialize_crt EnterCriticalSection 8960->8961 8962 6c88ee38 8961->8962 8963 6c88ee7f 8962->8963 8964 6c88edb3 ___scrt_uninitialize_crt 25 API calls 8962->8964 8965 6c88b3b6 _free 14 API calls 8963->8965 8966 6c88ee64 FlushFileBuffers 8964->8966 8967 6c88ee84 8965->8967 8966->8967 8968 6c88ee70 8966->8968 8970 6c88eeb3 ___scrt_uninitialize_crt LeaveCriticalSection 8967->8970 8969 6c88b3a3 __dosmaperr 14 API calls 8968->8969 8971 6c88ee75 GetLastError 8969->8971 8972 6c88ee9c 8970->8972 8971->8963 8972->8933 8973->8909 8974->8895 8980 6c88aa50 8975->8980 8978 6c8876ee ___vcrt_uninitialize_ptd 6 API calls 8979 6c8865b2 8978->8979 8979->8525 8983 6c88b234 8980->8983 8984 6c885fcc 8983->8984 8985 6c88b23e 8983->8985 8984->8978 8987 6c88cd4a 8985->8987 8988 6c88cc29 _free 5 API calls 8987->8988 8989 6c88cd66 8988->8989 8990 6c88cd6f 8989->8990 8991 6c88cd81 TlsFree 8989->8991 8990->8984 7757 6c8866ec 7758 6c8866fa dllmain_dispatch 7757->7758 7759 6c8866f5 7757->7759 7761 6c886ae9 7759->7761 7762 6c886aff 7761->7762 7763 6c886b08 7762->7763 7765 6c886a9c GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7762->7765 7763->7758 7765->7763 8992 6c88b563 8993 6c88b5a1 8992->8993 8997 6c88b571 _free 8992->8997 8994 6c88b3b6 _free 14 API calls 8993->8994 8996 6c88b59f 8994->8996 8995 6c88b58c RtlAllocateHeap 8995->8996 8995->8997 8997->8993 8997->8995 8998 6c889bd5 _free 2 API calls 8997->8998 8998->8997

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 6C881300 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 393networkfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 0 6c881300-6c88134c 1 6c88184a-6c88186f call 6c885420 0->1 2 6c881352-6c881356 0->2 7 6c881899-6c8818b1 1->7 8 6c881871-6c88187d 1->8 2->1 4 6c88135c-6c881360 2->4 4->1 6 6c881366-6c88146f call 6c885420 InternetOpenW InternetConnectA HttpOpenRequestA HttpSendRequestA InternetReadFile 4->6 19 6c881681-6c8816e4 InternetCloseHandle * 3 6->19 20 6c881475 6->20 13 6c881801-6c881819 7->13 14 6c8818b7-6c8818c3 7->14 10 6c88188f-6c881896 call 6c885e32 8->10 11 6c88187f-6c88188d 8->11 10->7 11->10 17 6c881905 call 6c889730 11->17 15 6c8818e8-6c881904 call 6c885e21 13->15 16 6c88181f-6c88182b 13->16 21 6c8818c9-6c8818d7 14->21 22 6c8817f7-6c8817fe call 6c885e32 14->22 23 6c8818de-6c8818e5 call 6c885e32 16->23 24 6c881831-6c88183f 16->24 36 6c88190a-6c88190f call 6c8862ce 17->36 27 6c88171b-6c881739 19->27 28 6c8816e6-6c8816f5 19->28 30 6c881480-6c881487 20->30 21->17 32 6c8818d9 21->32 22->13 23->15 24->17 34 6c881845 24->34 41 6c88173b-6c88174c 27->41 42 6c88176c-6c88178d 27->42 37 6c88170b-6c881718 call 6c885e32 28->37 38 6c8816f7-6c881705 28->38 39 6c88167b 30->39 40 6c88148d-6c8814aa 30->40 32->22 34->23 37->27 38->17 38->37 39->19 51 6c8814b1-6c8814b6 40->51 44 6c88174e-6c88175c 41->44 45 6c881762-6c881769 call 6c885e32 41->45 47 6c8817bb-6c8817d3 42->47 48 6c88178f-6c88179b 42->48 44->17 44->45 45->42 47->13 56 6c8817d5-6c8817e1 47->56 53 6c88179d-6c8817ab 48->53 54 6c8817b1-6c8817b8 call 6c885e32 48->54 51->51 58 6c8814b8-6c88151b call 6c885420 * 2 51->58 53->17 53->54 54->47 56->22 61 6c8817e3-6c8817f1 56->61 66 6c881520-6c88155d 58->66 61->17 61->22 67 6c88155f-6c8815a0 call 6c888940 66->67 68 6c8815a2-6c8815bc call 6c885a10 66->68 73 6c8815c2-6c8815cf 67->73 68->73 74 6c8815fc-6c881609 73->74 75 6c8815d1-6c8815dc 73->75 76 6c88163a-6c881645 74->76 77 6c88160b-6c88161a 74->77 78 6c8815de-6c8815ec 75->78 79 6c8815f2-6c8815f9 call 6c885e32 75->79 76->36 82 6c88164b-6c881675 InternetReadFile 76->82 80 6c88161c-6c88162a 77->80 81 6c881630-6c881637 call 6c885e32 77->81 78->17 78->79 79->74 80->17 80->81 81->76 82->30 82->39
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • InternetOpenW.WININET(6C898DB8,00000000,00000000,00000000,00000000), ref: 6C8813C3
                                                                                                                                                                                                                                                          • InternetConnectA.WININET(00000000,?,00000050,00000000,00000000,00000003,00000000,00000001), ref: 6C8813EA
                                                                                                                                                                                                                                                          • HttpOpenRequestA.WININET(00000000,POST,?,00000000,00000000,00000000,00000000,00000001), ref: 6C881414
                                                                                                                                                                                                                                                          • HttpSendRequestA.WININET(00000000,00000000,00000000,?,00000000), ref: 6C88144D
                                                                                                                                                                                                                                                          • InternetReadFile.WININET(00000000,?,000003FF,?), ref: 6C881467
                                                                                                                                                                                                                                                          • InternetReadFile.WININET(?,00000000,000003FF,00000000), ref: 6C88166D
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 6C881688
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 6C881690
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(?), ref: 6C881698
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • POST, xrefs: 6C88140E
                                                                                                                                                                                                                                                          • Content-Type: application/x-www-form-urlencoded, xrefs: 6C88138D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Internet$CloseHandle$FileHttpOpenReadRequest$ConnectSend
                                                                                                                                                                                                                                                          • String ID: Content-Type: application/x-www-form-urlencoded$POST
                                                                                                                                                                                                                                                          • API String ID: 1354133546-2387545335
                                                                                                                                                                                                                                                          • Opcode ID: 87d598a139a7f08a508e3bd02ec0ccec2690e5b900bcdffaa4bcb8a0e568149d
                                                                                                                                                                                                                                                          • Instruction ID: 7a5e8d5feb0539629839af31800acf897dca5ba7363da1b188f838ecc8823034
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 87d598a139a7f08a508e3bd02ec0ccec2690e5b900bcdffaa4bcb8a0e568149d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9BF1E4B0A012189BEB34CF18CD84BDDBB75EF45308F5045ACE619A7A81DB749AC4CF95
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88650B Relevance: 13.6, APIs: 9, Instructions: 134COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __RTC_Initialize.LIBCMT ref: 6C886552
                                                                                                                                                                                                                                                          • ___scrt_uninitialize_crt.LIBCMT ref: 6C88656C
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Initialize___scrt_uninitialize_crt
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2442719207-0
                                                                                                                                                                                                                                                          • Opcode ID: b01c6fd17addeb7ed22757934df5d2eb66ce5b95751a9280e2bacc5c11dc016e
                                                                                                                                                                                                                                                          • Instruction ID: 4f121a5c8ee7f5f95cdfa0b551c2e27bbad2bb03d0c3d5f53963442ba2db25cc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b01c6fd17addeb7ed22757934df5d2eb66ce5b95751a9280e2bacc5c11dc016e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E941AE72A27258EFDB318F5DCF00AAE7AB4EF41759F104929E814E6F84DB304D058BA0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C884700 Relevance: 5.2, APIs: 1, Strings: 2, Instructions: 654sleepCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 135 6c884700-6c88475e call 6c885210 call 6c8822b0 140 6c884789 135->140 141 6c884760-6c884787 call 6c885210 call 6c8822b0 135->141 142 6c88478d-6c884790 140->142 141->140 141->142 144 6c884792-6c88479b 142->144 145 6c8847d7-6c8847e1 142->145 147 6c88479d-6c8847a9 144->147 148 6c8847c5-6c8847d3 144->148 149 6c88481b-6c88481f 145->149 150 6c8847e3-6c8847ec 145->150 155 6c8847bb-6c8847c2 call 6c885e32 147->155 156 6c8847ab-6c8847b9 147->156 148->145 153 6c884870-6c88489b call 6c885210 call 6c8822b0 149->153 154 6c884821-6c884868 call 6c885210 call 6c8822b0 call 6c885210 call 6c8822b0 call 6c882e50 149->154 150->149 157 6c8847ee-6c8847fa 150->157 174 6c88489d-6c8848c2 call 6c885210 call 6c8822b0 153->174 175 6c8848c4 153->175 196 6c88486d 154->196 155->148 156->155 160 6c88480c call 6c889730 156->160 162 6c8847fc-6c88480a 157->162 163 6c884811-6c884818 call 6c885e32 157->163 160->163 162->160 162->163 163->149 174->175 178 6c8848c8-6c8848cb 174->178 175->178 181 6c8848d8-6c8848e2 178->181 182 6c8848cd-6c8848d3 call 6c885100 178->182 187 6c8848ef-6c8848f3 181->187 188 6c8848e4-6c8848ea call 6c885100 181->188 182->181 189 6c884944-6c88496f call 6c885210 call 6c8822b0 187->189 190 6c8848f5-6c884941 call 6c885210 call 6c8822b0 call 6c885210 call 6c8822b0 call 6c882e50 187->190 188->187 203 6c884998 189->203 204 6c884971-6c884996 call 6c885210 call 6c8822b0 189->204 190->189 196->153 207 6c88499c-6c88499f 203->207 204->203 204->207 210 6c8849ac-6c8849b6 207->210 211 6c8849a1-6c8849a7 call 6c885100 207->211 216 6c8849b8-6c8849be call 6c885100 210->216 217 6c8849c3-6c8849c7 210->217 211->210 216->217 221 6c884a18-6c884a3c call 6c884660 217->221 222 6c8849c9-6c884a15 call 6c885210 call 6c8822b0 call 6c885210 call 6c8822b0 call 6c882e50 217->222 229 6c884a40-6c884a98 call 6c882c20 call 6c8827d0 call 6c885150 call 6c885100 call 6c885210 call 6c8851d0 call 6c882580 221->229 222->221 251 6c884a9a-6c884ae6 call 6c885210 call 6c8851d0 call 6c882580 call 6c8850a0 call 6c885150 call 6c885100 229->251 252 6c884aeb-6c884af4 229->252 251->252 253 6c884afa-6c884b13 call 6c885210 call 6c882900 252->253 254 6c885020-6c885027 Sleep 252->254 253->254 265 6c884b19-6c884b49 call 6c885210 call 6c8827d0 call 6c885660 253->265 254->229 277 6c884b7b 265->277 278 6c884b4b-6c884b4f 265->278 280 6c884b7f-6c884b81 277->280 278->277 279 6c884b51-6c884b79 call 6c8850a0 call 6c8856e0 278->279 279->277 279->280 282 6c884b91-6c884b9b 280->282 283 6c884b83-6c884b8c call 6c885100 280->283 286 6c884ba8-6c884bac 282->286 287 6c884b9d-6c884ba3 call 6c885100 282->287 283->282 289 6c884bae-6c884bc2 call 6c885210 call 6c882b10 286->289 290 6c884bc5-6c884bf8 call 6c885210 call 6c8827d0 call 6c885660 286->290 287->286 289->290 303 6c884c2a 290->303 304 6c884bfa-6c884bfe 290->304 305 6c884c2e-6c884c34 303->305 304->303 306 6c884c00-6c884c28 call 6c8850a0 call 6c8856e0 304->306 308 6c884c44-6c884c51 305->308 309 6c884c36-6c884c3f call 6c885100 305->309 306->303 306->305 312 6c884c61-6c884c65 308->312 313 6c884c53-6c884c5c call 6c885100 308->313 309->308 316 6c884c7e-6c884cb1 call 6c885210 call 6c8827d0 call 6c885660 312->316 317 6c884c67-6c884c7b call 6c885210 call 6c882b10 312->317 313->312 329 6c884ce3 316->329 330 6c884cb3-6c884cb7 316->330 317->316 332 6c884ce7-6c884ced 329->332 330->329 331 6c884cb9-6c884ce1 call 6c8850a0 call 6c8856e0 330->331 331->329 331->332 333 6c884cfd-6c884d0a 332->333 334 6c884cef-6c884cf8 call 6c885100 332->334 337 6c884d1a-6c884d1e 333->337 338 6c884d0c-6c884d15 call 6c885100 333->338 334->333 341 6c884d20-6c884d34 call 6c885210 call 6c882b10 337->341 342 6c884d37-6c884d6a call 6c885210 call 6c8827d0 call 6c885660 337->342 338->337 341->342 355 6c884d6c-6c884d75 342->355 356 6c884da1 342->356 355->356 357 6c884d77-6c884d9f call 6c8850a0 call 6c8856e0 355->357 358 6c884da5-6c884dab 356->358 357->356 357->358 360 6c884dbb-6c884dc8 358->360 361 6c884dad-6c884db6 call 6c885100 358->361 364 6c884dd8-6c884ddc 360->364 365 6c884dca-6c884dd3 call 6c885100 360->365 361->360 366 6c884dde-6c884df2 call 6c885210 call 6c882b10 364->366 367 6c884df5-6c884e28 call 6c885210 call 6c8827d0 call 6c885660 364->367 365->364 366->367 381 6c884e5a 367->381 382 6c884e2a-6c884e2e 367->382 383 6c884e5e-6c884e64 381->383 382->381 384 6c884e30-6c884e58 call 6c8850a0 call 6c8856e0 382->384 385 6c884e74-6c884e81 383->385 386 6c884e66-6c884e6f call 6c885100 383->386 384->381 384->383 389 6c884e91-6c884e95 385->389 390 6c884e83-6c884e8c call 6c885100 385->390 386->385 394 6c884eae-6c884ee1 call 6c885210 call 6c8827d0 call 6c885660 389->394 395 6c884e97-6c884eab call 6c885210 call 6c882b10 389->395 390->389 407 6c884f13 394->407 408 6c884ee3-6c884ee7 394->408 395->394 410 6c884f17-6c884f1d 407->410 408->407 409 6c884ee9-6c884f11 call 6c8850a0 call 6c8856e0 408->409 409->407 409->410 412 6c884f2d-6c884f3a 410->412 413 6c884f1f-6c884f28 call 6c885100 410->413 414 6c884f4a-6c884f4e 412->414 415 6c884f3c-6c884f45 call 6c885100 412->415 413->412 419 6c884f50-6c884f64 call 6c885210 call 6c882b10 414->419 420 6c884f67-6c884f9a call 6c885210 call 6c8827d0 call 6c885660 414->420 415->414 419->420 433 6c884fcc 420->433 434 6c884f9c-6c884fa0 420->434 436 6c884fd0-6c884fd6 433->436 434->433 435 6c884fa2-6c884fca call 6c8850a0 call 6c8856e0 434->435 435->433 435->436 438 6c884fd8-6c884fe1 call 6c885100 436->438 439 6c884fe6-6c884ff3 436->439 438->439 442 6c885003-6c885007 439->442 443 6c884ff5-6c884ffe call 6c885100 439->443 442->254 446 6c885009-6c88501d call 6c885210 call 6c882b10 442->446 443->442 446->254
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 6C885210: Concurrency::cancel_current_task.LIBCPMT ref: 6C8852C9
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(000003E8), ref: 6C885025
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::cancel_current_taskSleep
                                                                                                                                                                                                                                                          • String ID: _$bc1
                                                                                                                                                                                                                                                          • API String ID: 1206865082-124563582
                                                                                                                                                                                                                                                          • Opcode ID: 44c67ef9804725181bcc81bccc3985575a19cd5fdb77e2a149bd3f6120cecb39
                                                                                                                                                                                                                                                          • Instruction ID: 8eda7f2884a2209c9e17a7eab6edc4052c7e0a203ed4fb55fb03f0221de26652
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 44c67ef9804725181bcc81bccc3985575a19cd5fdb77e2a149bd3f6120cecb39
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C32C1329123489BEB21EBACCB557DDBA756F91328F940D68D41227FC1EB351648C3E2
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C886404 Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __RTC_Initialize.LIBCMT ref: 6C886451
                                                                                                                                                                                                                                                            • Part of subcall function 6C886B34: InitializeSListHead.KERNEL32(6C89BE48,6C88645B,6C899BC0,00000010,6C8863EC,?,?,?,6C886614,?,00000001,?,?,00000001,?,6C899C08), ref: 6C886B39
                                                                                                                                                                                                                                                          • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 6C8864BB
                                                                                                                                                                                                                                                          • ___scrt_fastfail.LIBCMT ref: 6C886505
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Initialize$HeadList___scrt_fastfail___scrt_is_nonwritable_in_current_image
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2097537958-0
                                                                                                                                                                                                                                                          • Opcode ID: 0ac3e79b385e85ec517dc76807b449f429a250319d23209f0479c35c11aa1b11
                                                                                                                                                                                                                                                          • Instruction ID: a9e04468c0ea6407f3f6afcb0e87a67f9f797e41e976d516189e2948bf99ecab
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ac3e79b385e85ec517dc76807b449f429a250319d23209f0479c35c11aa1b11
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1321DE316AB206AADB309FBC9B047DD37B16F5232CF204C79D462A7FC1DB615048D6A5
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C885420 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 509 6c885420-6c88543c 510 6c88543e-6c885443 509->510 511 6c885464-6c88546a 509->511 512 6c885445 510->512 513 6c885447-6c885461 call 6c888940 510->513 514 6c88554e call 6c885b70 511->514 515 6c885470-6c88547b 511->515 512->513 521 6c885553-6c885558 call 6c881260 514->521 518 6c88547d-6c885482 515->518 519 6c885484-6c885491 515->519 522 6c8854a2-6c8854b6 518->522 523 6c88549a-6c88549f 519->523 524 6c885493-6c885498 519->524 525 6c8854b8-6c8854bd 522->525 526 6c8854dd-6c8854df 522->526 523->522 524->522 525->521 528 6c8854c3-6c8854d0 call 6c885e63 525->528 529 6c8854ec 526->529 530 6c8854e1-6c8854e2 call 6c885e63 526->530 538 6c885549 call 6c889730 528->538 539 6c8854d2-6c8854db 528->539 534 6c8854ee-6c885511 call 6c889000 529->534 536 6c8854e7-6c8854ea 530->536 542 6c88553c-6c885546 534->542 543 6c885513-6c88551e 534->543 536->534 538->514 539->534 544 6c885520-6c88552e 543->544 545 6c885532-6c885539 call 6c885e32 543->545 544->538 546 6c885530 544->546 545->542 546->545
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6C885553
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::cancel_current_task
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 118556049-0
                                                                                                                                                                                                                                                          • Opcode ID: 6ee2d3b4dbf55cf1b283ab92d253cfdf0abbae3df5c760a63490612fbad5c70f
                                                                                                                                                                                                                                                          • Instruction ID: b1ddf3b107505e02c809df4d6ea4cc993f35b5df87d964f898f1ce4c6e2025cb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ee2d3b4dbf55cf1b283ab92d253cfdf0abbae3df5c760a63490612fbad5c70f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 953126B16023049BE7348EBCDA90A5EB7E9EB45325B204B3EE867C7FC1D77099448751
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C885E63 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ___std_exception_copy.LIBVCRUNTIME ref: 6C88129E
                                                                                                                                                                                                                                                            • Part of subcall function 6C8871A3: RaiseException.KERNEL32(E06D7363,00000001,00000003,6C88127C,?,?,?,6C88127C,?,6C89A108), ref: 6C887203
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionRaise___std_exception_copy
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3109751735-0
                                                                                                                                                                                                                                                          • Opcode ID: d60d5318d3dc13d58fe04543fe30711ccc8ba600cb2b0bc4f33ba6a782351b58
                                                                                                                                                                                                                                                          • Instruction ID: ce3d6d6cebe19a793bfc6292414b663ab3fbd7f4efe682d818f9ac65f21431f0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d60d5318d3dc13d58fe04543fe30711ccc8ba600cb2b0bc4f33ba6a782351b58
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7501C43580630CB7DB34EAACDE419C9B7BC9B01268B504D36B928D6E50FB30E558C7E5
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88EB8E Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 571 6c88eb8e-6c88eb9b call 6c88b5e2 573 6c88eba0-6c88ebab 571->573 574 6c88ebad-6c88ebaf 573->574 575 6c88ebb1-6c88ebb9 573->575 576 6c88ebfc-6c88ec08 call 6c88b63f 574->576 575->576 577 6c88ebbb-6c88ebbf 575->577 579 6c88ebc1-6c88ebf6 call 6c88ce0a 577->579 583 6c88ebf8-6c88ebfb 579->583 583->576
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 6C88B5E2: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6C88B19E,00000001,00000364,00000006,000000FF,?,00000001,6C88B3BB,6C88B665,?,?,6C88A83C), ref: 6C88B623
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88EBFD
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AllocateHeap_free
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 614378929-0
                                                                                                                                                                                                                                                          • Opcode ID: bf724836b8d0f979717aeab3e527f02f056e5324843b3249d55799dd2165a5e4
                                                                                                                                                                                                                                                          • Instruction ID: 8f715d848d33bc001c19941dcca573a8fd8fd0c947d91a74efcafe57795df43d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf724836b8d0f979717aeab3e527f02f056e5324843b3249d55799dd2165a5e4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA0126726053166BC3308F58C88198AFBA8FB45774F140A69E446B7EC0D7706C04CBE4
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88B5E2 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 584 6c88b5e2-6c88b5ed 585 6c88b5fb-6c88b601 584->585 586 6c88b5ef-6c88b5f9 584->586 588 6c88b61a-6c88b62b RtlAllocateHeap 585->588 589 6c88b603-6c88b604 585->589 586->585 587 6c88b62f-6c88b63a call 6c88b3b6 586->587 593 6c88b63c-6c88b63e 587->593 590 6c88b62d 588->590 591 6c88b606-6c88b60d call 6c88e1f0 588->591 589->588 590->593 591->587 597 6c88b60f-6c88b618 call 6c889bd5 591->597 597->587 597->588
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6C88B19E,00000001,00000364,00000006,000000FF,?,00000001,6C88B3BB,6C88B665,?,?,6C88A83C), ref: 6C88B623
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                                          • Opcode ID: bf41542e47ae8569bb41a46d3c83349033c62f0e1dcb62602c326714fa5343f2
                                                                                                                                                                                                                                                          • Instruction ID: 1d8b18e86e6c72cdb9b5d5764f9acebb862033160d71d656a70f7cf7c70df501
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf41542e47ae8569bb41a46d3c83349033c62f0e1dcb62602c326714fa5343f2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54F0B43120752467EB31DEAA8E00A7B3758AFC2764F104D31E924D7E8CDB20DC0186E1
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88B563 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 600 6c88b563-6c88b56f 601 6c88b5a1-6c88b5ac call 6c88b3b6 600->601 602 6c88b571-6c88b573 600->602 609 6c88b5ae-6c88b5b0 601->609 604 6c88b58c-6c88b59d RtlAllocateHeap 602->604 605 6c88b575-6c88b576 602->605 607 6c88b578-6c88b57f call 6c88e1f0 604->607 608 6c88b59f 604->608 605->604 607->601 612 6c88b581-6c88b58a call 6c889bd5 607->612 608->609 612->601 612->604
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,558B0000,558B0000,?,6C88C3F0,00000220,6C88EF98,558B0000,?,?,?,?,00000000,00000000,?,6C88EF98), ref: 6C88B595
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                                          • Opcode ID: 60e122edd77e946f2e5c01e29d6f899695039598ffaf7d97f4b34ef8d8726e41
                                                                                                                                                                                                                                                          • Instruction ID: 782e25461726593c4209f1d88adf4796a10f09c5c13193b4efcff2c37d5c5192
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60e122edd77e946f2e5c01e29d6f899695039598ffaf7d97f4b34ef8d8726e41
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3E0653524322467EA311AAA8F00BAB765CDFC37BCF110A31ED24A7EC0DB60C90086E5
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                                          Function 6C889574 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 6C88966C
                                                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 6C889676
                                                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 6C889683
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                                                                                                                          • Opcode ID: d81a76c66c6c3cca7e6c2ee4dacfa754cafd5e680b59def81637d5d82b8c82af
                                                                                                                                                                                                                                                          • Instruction ID: 0ef92241e45fa1cf86ca7ff40cea65965888394f0721a2cf06964b06e1b12f19
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d81a76c66c6c3cca7e6c2ee4dacfa754cafd5e680b59def81637d5d82b8c82af
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD31C3749122289BCB21DF68D988BCDBBB8BF48314F5045EAE41CA7650E7749F85CF44
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88BA1E Relevance: 1.6, APIs: 1, Instructions: 140COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 34d7b10f60d29bd33d37decfe5520e39c6b4d35d02541785c21270bf5d394a12
                                                                                                                                                                                                                                                          • Instruction ID: 9981d4fffed3a8bc0ebdc50e92d68efb8a082b7136caa01a12f1f579d9ba5959
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 34d7b10f60d29bd33d37decfe5520e39c6b4d35d02541785c21270bf5d394a12
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7241A575806218AEDB20DF69CD88AFAB7B8EF85304F1446E9E45DD3A00D6359E84CF50
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88CF44 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: HeapProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 54951025-0
                                                                                                                                                                                                                                                          • Opcode ID: 94bfeee8a7591f991d1a5e20da27c297abc91d4087f25b73e028c49224776615
                                                                                                                                                                                                                                                          • Instruction ID: 56cf586f40a5af325768695e73b0e138726e7274deb104740a2783db489a517f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94bfeee8a7591f991d1a5e20da27c297abc91d4087f25b73e028c49224776615
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2FA011B03002008B8B208EBAA2082083EB8BAE3288300803AA002C2022EB208000EA82
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88DB2D Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ___free_lconv_mon.LIBCMT ref: 6C88DB71
                                                                                                                                                                                                                                                            • Part of subcall function 6C88DF6D: _free.LIBCMT ref: 6C88DF8A
                                                                                                                                                                                                                                                            • Part of subcall function 6C88DF6D: _free.LIBCMT ref: 6C88DF9C
                                                                                                                                                                                                                                                            • Part of subcall function 6C88DF6D: _free.LIBCMT ref: 6C88DFAE
                                                                                                                                                                                                                                                            • Part of subcall function 6C88DF6D: _free.LIBCMT ref: 6C88DFC0
                                                                                                                                                                                                                                                            • Part of subcall function 6C88DF6D: _free.LIBCMT ref: 6C88DFD2
                                                                                                                                                                                                                                                            • Part of subcall function 6C88DF6D: _free.LIBCMT ref: 6C88DFE4
                                                                                                                                                                                                                                                            • Part of subcall function 6C88DF6D: _free.LIBCMT ref: 6C88DFF6
                                                                                                                                                                                                                                                            • Part of subcall function 6C88DF6D: _free.LIBCMT ref: 6C88E008
                                                                                                                                                                                                                                                            • Part of subcall function 6C88DF6D: _free.LIBCMT ref: 6C88E01A
                                                                                                                                                                                                                                                            • Part of subcall function 6C88DF6D: _free.LIBCMT ref: 6C88E02C
                                                                                                                                                                                                                                                            • Part of subcall function 6C88DF6D: _free.LIBCMT ref: 6C88E03E
                                                                                                                                                                                                                                                            • Part of subcall function 6C88DF6D: _free.LIBCMT ref: 6C88E050
                                                                                                                                                                                                                                                            • Part of subcall function 6C88DF6D: _free.LIBCMT ref: 6C88E062
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88DB66
                                                                                                                                                                                                                                                            • Part of subcall function 6C88B63F: HeapFree.KERNEL32(00000000,00000000,?,6C88A83C), ref: 6C88B655
                                                                                                                                                                                                                                                            • Part of subcall function 6C88B63F: GetLastError.KERNEL32(?,?,6C88A83C), ref: 6C88B667
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88DB88
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88DB9D
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88DBA8
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88DBCA
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88DBDD
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88DBEB
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88DBF6
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88DC2E
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88DC35
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88DC52
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88DC6A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 161543041-0
                                                                                                                                                                                                                                                          • Opcode ID: 1d22f54c3da33320778e1eb2b4fbcd334030ee4b4e05e62f7dc1440c83e8c860
                                                                                                                                                                                                                                                          • Instruction ID: 3620c1c8b6706267b7e7ded6cb6a6e62796e1f40d0858c2f8721b66311f1d9e7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d22f54c3da33320778e1eb2b4fbcd334030ee4b4e05e62f7dc1440c83e8c860
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F2314A31606206AFEB309F39DE40BAA73E9AF44718F205D2BE055D7E94DF71A8448B14
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C887960 Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 308COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsInExceptionSpec.LIBVCRUNTIME ref: 6C887A5B
                                                                                                                                                                                                                                                          • type_info::operator==.LIBVCRUNTIME ref: 6C887A82
                                                                                                                                                                                                                                                          • ___TypeMatch.LIBVCRUNTIME ref: 6C887B8E
                                                                                                                                                                                                                                                          • IsInExceptionSpec.LIBVCRUNTIME ref: 6C887C69
                                                                                                                                                                                                                                                          • _UnwindNestedFrames.LIBCMT ref: 6C887CF0
                                                                                                                                                                                                                                                          • CallUnexpected.LIBVCRUNTIME ref: 6C887D0B
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExceptionSpec$CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                                                                                                                          • API String ID: 2123188842-393685449
                                                                                                                                                                                                                                                          • Opcode ID: c850b217a53599b1217dd7b5b7a62140ddaffef78259d5dd991949474dd4d6b8
                                                                                                                                                                                                                                                          • Instruction ID: c52cc84f5d415e8c9460619bb3634da69070da7b899a714a19638a3f2e39113d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c850b217a53599b1217dd7b5b7a62140ddaffef78259d5dd991949474dd4d6b8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7C1AE71A062099FCF25CFA8CA8099EBB75BF04308F15496AF814ABE11D335DA51CBA1
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88AEB8 Relevance: 15.1, APIs: 10, Instructions: 69COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                                          • Opcode ID: 61e7ffbd7e6a7894e708b7f33d1f147f8f94beea4649ba05a6d893a2eab97b4e
                                                                                                                                                                                                                                                          • Instruction ID: 4aba903c6c560354444f09cc559cb76d8727b783c3f33fe21fd3d8b0c7eed71e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61e7ffbd7e6a7894e708b7f33d1f147f8f94beea4649ba05a6d893a2eab97b4e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E21FC76901109BFCB11EF98CD80DEE7BB9BF48244F404566F5159BA60DB32DA59CF80
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C8872B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 6C8872E7
                                                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 6C8872EF
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 6C887378
                                                                                                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 6C8873A3
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 6C8873F8
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                          • String ID: csm
                                                                                                                                                                                                                                                          • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                          • Opcode ID: 0fb29e189b134e329e0422152e335a56f35a481b42a776e7c776a96bb4568c95
                                                                                                                                                                                                                                                          • Instruction ID: 824c1b653e6192f078bae897a556a887dfd9aba02c086c7c98fceef2a53b45a2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0fb29e189b134e329e0422152e335a56f35a481b42a776e7c776a96bb4568c95
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B419134A022089BCF30CF6DC984A9E7BB5BF45318F148965FD249BB51D731E949CB92
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88CB62 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                                                          • API String ID: 0-537541572
                                                                                                                                                                                                                                                          • Opcode ID: 5bbaa3e93cf91b78b36b7bfd6344d44d42401ee26e7733aa0ee7f0576fa248b5
                                                                                                                                                                                                                                                          • Instruction ID: e4eb87f2ec8fd78e3958a1b994ae7007658579d0c50cac5f64d0bd221d8a3938
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5bbaa3e93cf91b78b36b7bfd6344d44d42401ee26e7733aa0ee7f0576fa248b5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3521E131B47614BBDB316E6D8E40A4A37699F42B68F160F21E855E7F86D730DD00C6E0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88E10C Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 6C88E0D4: _free.LIBCMT ref: 6C88E0F9
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88E15A
                                                                                                                                                                                                                                                            • Part of subcall function 6C88B63F: HeapFree.KERNEL32(00000000,00000000,?,6C88A83C), ref: 6C88B655
                                                                                                                                                                                                                                                            • Part of subcall function 6C88B63F: GetLastError.KERNEL32(?,?,6C88A83C), ref: 6C88B667
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88E165
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88E170
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88E1C4
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88E1CF
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88E1DA
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88E1E5
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                                          • Opcode ID: 6688a93d272e8f63d8b572137aeade3ba908fe40e4732d61955ac79dadc09bbf
                                                                                                                                                                                                                                                          • Instruction ID: a0131e6a21c9b03a2193c3af4478801cb5b619f7645523caa888e66235c6bee4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6688a93d272e8f63d8b572137aeade3ba908fe40e4732d61955ac79dadc09bbf
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16116A31642B04AAD670EBB4CE05FDB779CAF44708F400D35E3E9ABE55DB25A90C8792
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88EF3C Relevance: 9.3, APIs: 6, Instructions: 318fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetConsoleCP.KERNEL32(00000000,00000001,00000000), ref: 6C88EF84
                                                                                                                                                                                                                                                          • __fassign.LIBCMT ref: 6C88F163
                                                                                                                                                                                                                                                          • __fassign.LIBCMT ref: 6C88F180
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,6C88D664,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C88F1C8
                                                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 6C88F208
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 6C88F2B4
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FileWrite__fassign$ConsoleErrorLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4031098158-0
                                                                                                                                                                                                                                                          • Opcode ID: f1d6eed4293807f64056233b28647e0692593f5b310da19d6dc42b8e2fb7daeb
                                                                                                                                                                                                                                                          • Instruction ID: b9e8561dbea34c2951d0719de085f1c5a61987903067ba0ffb6aa74c7b9b2247
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1d6eed4293807f64056233b28647e0692593f5b310da19d6dc42b8e2fb7daeb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44D1DD75E022589FCF21CFE8C9809EDBBB5BF49318F24056AE855BBB41D331A906CB50
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C887629 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000001,?,6C887233,6C885F47,6C8863DC,?,6C886614,?,00000001,?,?,00000001,?,6C899C08,0000000C,6C886708), ref: 6C887637
                                                                                                                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 6C887645
                                                                                                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 6C88765E
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,6C886614,?,00000001,?,?,00000001,?,6C899C08,0000000C,6C886708,?,00000001,?), ref: 6C8876B0
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3852720340-0
                                                                                                                                                                                                                                                          • Opcode ID: 5f9ca08bc9733adea39f3dea9fc43d7a4ca6a17a8e1bb478834158f7d5374be1
                                                                                                                                                                                                                                                          • Instruction ID: cf066c655a3dffe7dafd3ddeb0b8d68b9bf41e9f4edccea1423c6912d8d105e6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f9ca08bc9733adea39f3dea9fc43d7a4ca6a17a8e1bb478834158f7d5374be1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7501B53230F2169EDA34497D5F84EA72674DB42B7C7200B3AF53081ED5EB524C15D5C4
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88BEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\rundll32.exe, xrefs: 6C88BEB0
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                          • API String ID: 0-2837366778
                                                                                                                                                                                                                                                          • Opcode ID: 9add5e69564bf679e586f918db2c49b4afd6aaccf6191dcabcbd7fea3e0821be
                                                                                                                                                                                                                                                          • Instruction ID: 90d3ec55cd5403f64ffbd1e4e104c57a6d8de2aa608ec9b19c08bb407e3eae82
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9add5e69564bf679e586f918db2c49b4afd6aaccf6191dcabcbd7fea3e0821be
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1121537160A109BF9B309E6A8E9097B77ADEF8236C7144E24F92497E50D721EC108BA0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C8886C7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: api-ms-
                                                                                                                                                                                                                                                          • API String ID: 0-2084034818
                                                                                                                                                                                                                                                          • Opcode ID: 1459db3a20f76ba179ee21faad43e003ea00937c45a8fab2aa12998d25b0e268
                                                                                                                                                                                                                                                          • Instruction ID: c64f51d3cbc24cf07588bf859a928058a0ea50597038027bff98eda544e5b039
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1459db3a20f76ba179ee21faad43e003ea00937c45a8fab2aa12998d25b0e268
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21119F31A47125EFDF319E6D8A4464A77B89F837A8B150E22E925B7E80D730ED00C6E0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88A004 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,6C889FB6,?,?,6C889F7E,?,00000001,?), ref: 6C88A019
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 6C88A02C
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,6C889FB6,?,?,6C889F7E,?,00000001,?), ref: 6C88A04F
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                          • Opcode ID: bbe35df311ae346222e72a64be272bb28e9cbdecc4ad7caf194cd45a03f9b4f7
                                                                                                                                                                                                                                                          • Instruction ID: 982f0e77dc8e46de74b0a1446c40e1168c8259aea86e89dbd121b5797ef8cd33
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bbe35df311ae346222e72a64be272bb28e9cbdecc4ad7caf194cd45a03f9b4f7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BF08C30A02118FBDF319F95CE0DBDD7AB9EBC175EF204464E820A2690DB348E00EB90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88E06B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88E083
                                                                                                                                                                                                                                                            • Part of subcall function 6C88B63F: HeapFree.KERNEL32(00000000,00000000,?,6C88A83C), ref: 6C88B655
                                                                                                                                                                                                                                                            • Part of subcall function 6C88B63F: GetLastError.KERNEL32(?,?,6C88A83C), ref: 6C88B667
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88E095
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88E0A7
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88E0B9
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88E0CB
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                                          • Opcode ID: 5d6979ccd7a1229b4b7393f4ad40f70ce3e8a55dd173fea330e12f4bec0ed10c
                                                                                                                                                                                                                                                          • Instruction ID: 337f70701f3b187c62f0cc42ee1e81c2e97b03d40d65791099b6e6dd475daf9d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d6979ccd7a1229b4b7393f4ad40f70ce3e8a55dd173fea330e12f4bec0ed10c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EEF0F9356072099B8A30DF6CEAC1C6A73E9BB45718B602D25F458D7E44CB31FC808BE8
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88B82F Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                                                                                          • String ID: *?
                                                                                                                                                                                                                                                          • API String ID: 269201875-2564092906
                                                                                                                                                                                                                                                          • Opcode ID: ef08da0b10d7064cd12ee8afefbcc6a6e32f0bd0d3cb27353226fc465ca1fc20
                                                                                                                                                                                                                                                          • Instruction ID: 7be907546f03d9ac3af4fe8e744080f6bf49fc2776e686c60d6b494a0222112d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef08da0b10d7064cd12ee8afefbcc6a6e32f0bd0d3cb27353226fc465ca1fc20
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7616C75E052199FDB24CFA9CD805EDFBF5EF88314B28856AD814E7B00E735AE418B90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C887709 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AdjustPointer
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1740715915-0
                                                                                                                                                                                                                                                          • Opcode ID: 7a4936a3d9e271524502dcf551e597a700b75d1c7922c552fdbdae60c0faf091
                                                                                                                                                                                                                                                          • Instruction ID: 65f0e399c6a2d66e405d095cc96058c8f463874e821e8beee32cbb103b862e25
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a4936a3d9e271524502dcf551e597a700b75d1c7922c552fdbdae60c0faf091
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2751AF72B47216AFEB358F18DA40BAA77B4FF41318F604D29F81587E90E731A840CB94
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88B743 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 6C88BD65: _free.LIBCMT ref: 6C88BD73
                                                                                                                                                                                                                                                            • Part of subcall function 6C88C93F: WideCharToMultiByte.KERNEL32(?,00000000,6C88D6D5,00000000,00000001,6C88D664,6C88F8CC,?,6C88D6D5,?,00000000,?,6C88F63B,0000FDE9,00000000,?), ref: 6C88C9E1
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 6C88B7AB
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 6C88B7B2
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 6C88B7F1
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 6C88B7F8
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 167067550-0
                                                                                                                                                                                                                                                          • Opcode ID: 304049d96254b8e3b110994dd984bcf7ccc58fefa66296cd3f6dac6bf61842c3
                                                                                                                                                                                                                                                          • Instruction ID: 5bda96ac337a3bc9fe5edf23a0f9728b26c207b382380215d0bc0df12330a057
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 304049d96254b8e3b110994dd984bcf7ccc58fefa66296cd3f6dac6bf61842c3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A218871605619AF9B309F6A8E8097BB7ACEF813AC7144E38F92497E50E731ED418790
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88AFFC Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,6C88F382,00000000,00000001,6C88D6D5,?,6C88F841,00000001,?,?,?,6C88D664,?,00000000), ref: 6C88B001
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88B05E
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88B094
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,00000006,000000FF,?,6C88F841,00000001,?,?,?,6C88D664,?,00000000,00000000,6C899F88,0000002C,6C88D6D5), ref: 6C88B09F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast_free
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2283115069-0
                                                                                                                                                                                                                                                          • Opcode ID: 697e9eecaaf9d16ac098f9adaf1ddabe633c8e20f87424363eb92a34ad4b6b0d
                                                                                                                                                                                                                                                          • Instruction ID: 351aefc7dd4b8fb53088aeded07fced3f9c85bd879324b596568bfc1b6952d3b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 697e9eecaaf9d16ac098f9adaf1ddabe633c8e20f87424363eb92a34ad4b6b0d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B311EC327071056AD6312ABD4F80EBA256ADBC667EB240F34F23097FC4FF668C188194
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88B153 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00000001,6C88B3BB,6C88B665,?,?,6C88A83C), ref: 6C88B158
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88B1B5
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88B1EB
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,00000006,000000FF,?,00000001,6C88B3BB,6C88B665,?,?,6C88A83C), ref: 6C88B1F6
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast_free
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2283115069-0
                                                                                                                                                                                                                                                          • Opcode ID: ba2141ae5f388a18575361cc995a046693123c47ea1f4d2abaf6ea7a6691a8de
                                                                                                                                                                                                                                                          • Instruction ID: 1f1e5fe08e45b23262c57e43c54fe88c24e6010803189b58e04958e6f2cb1279
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba2141ae5f388a18575361cc995a046693123c47ea1f4d2abaf6ea7a6691a8de
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8111E9363471056AD6312A7D4E80E7A296AAFC26BEB240F34F134DBFC0FF2588148190
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C890356 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • WriteConsoleW.KERNEL32(?,?,6C88D6D5,00000000,?,?,6C88FDB0,?,00000001,?,00000001,?,6C88F311,00000000,00000000,00000001), ref: 6C89036D
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,6C88FDB0,?,00000001,?,00000001,?,6C88F311,00000000,00000000,00000001,00000000,00000001,?,6C88F865,6C88D664), ref: 6C890379
                                                                                                                                                                                                                                                            • Part of subcall function 6C89033F: CloseHandle.KERNEL32(FFFFFFFE,6C890389,?,6C88FDB0,?,00000001,?,00000001,?,6C88F311,00000000,00000000,00000001,00000000,00000001), ref: 6C89034F
                                                                                                                                                                                                                                                          • ___initconout.LIBCMT ref: 6C890389
                                                                                                                                                                                                                                                            • Part of subcall function 6C890301: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6C890330,6C88FD9D,00000001,?,6C88F311,00000000,00000000,00000001,00000000), ref: 6C890314
                                                                                                                                                                                                                                                          • WriteConsoleW.KERNEL32(?,?,6C88D6D5,00000000,?,6C88FDB0,?,00000001,?,00000001,?,6C88F311,00000000,00000000,00000001,00000000), ref: 6C89039E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2744216297-0
                                                                                                                                                                                                                                                          • Opcode ID: 77532d42a728fb1238a3e76e7749774f543c7f3955d5b03c8102382eba564a32
                                                                                                                                                                                                                                                          • Instruction ID: cfc4f6fa966a289ba1704f2fe320a6737c1496efb2ecc1f84ab7eba67af413bd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77532d42a728fb1238a3e76e7749774f543c7f3955d5b03c8102382eba564a32
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72F01236200158FBCF721F9DCD4499A3F76FB4E7B8B144520FA1996220C7328820EBD1
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88A97D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88A986
                                                                                                                                                                                                                                                            • Part of subcall function 6C88B63F: HeapFree.KERNEL32(00000000,00000000,?,6C88A83C), ref: 6C88B655
                                                                                                                                                                                                                                                            • Part of subcall function 6C88B63F: GetLastError.KERNEL32(?,?,6C88A83C), ref: 6C88B667
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88A999
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88A9AA
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 6C88A9BB
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                                          • Opcode ID: 1c54b5e656db17aa874d7496d8e0b35c299b3e66e55e9f41f2f1bd35979f3382
                                                                                                                                                                                                                                                          • Instruction ID: 0dea02915e148e9907fd696f262ae8c592598bc58a0d1d15b87f93c2a31c3a6b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c54b5e656db17aa874d7496d8e0b35c299b3e66e55e9f41f2f1bd35979f3382
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2E09272A811229B8E32BF1D9D404BA3A31A79A618B015476F40017A1AC7331956DFDD
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C885B70 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • std::_Xinvalid_argument.LIBCPMT ref: 6C885B75
                                                                                                                                                                                                                                                            • Part of subcall function 6C885DE1: std::invalid_argument::invalid_argument.LIBCONCRT ref: 6C885DED
                                                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMT ref: 6C885CBE
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Concurrency::cancel_current_taskXinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                                                                                                                                                                                                                                          • String ID: string too long
                                                                                                                                                                                                                                                          • API String ID: 3990507346-2556327735
                                                                                                                                                                                                                                                          • Opcode ID: 59304be66c8e7c566d0661f0cd568fce371531282fd0db6f31690ebc4993fc57
                                                                                                                                                                                                                                                          • Instruction ID: 6d39777161cd8e17cab54f428f9c6c50c55f2a8be8589021aeb2316c0dbef462
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59304be66c8e7c566d0661f0cd568fce371531282fd0db6f31690ebc4993fc57
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18412772E03218AFEB24CF6CCE8059EB7A6EF44354B110A7AD816D7F00DB309E048B91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C88A092 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                          • API String ID: 0-2837366778
                                                                                                                                                                                                                                                          • Opcode ID: b4bb037e1db37866045478888a3dab8fc386a9f0ee6e13cd1660dc78009471c5
                                                                                                                                                                                                                                                          • Instruction ID: 16aad1a88d47ac4d2ddb60d8c8f17a9763abd631d1a5ba3a050155e907e687fd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4bb037e1db37866045478888a3dab8fc386a9f0ee6e13cd1660dc78009471c5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF41A275A06208AFCB31DF9DCE809DEBBB8EB85318F100866E501A7FC1D7718A44CB94
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 6C887D16 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • EncodePointer.KERNEL32(00000000,?,00000000,1FFFFFFF), ref: 6C887D3B
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000008.00000002.3608123812.000000006C881000.00000020.00000001.01000000.0000000A.sdmp, Offset: 6C880000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3607599638.000000006C880000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608240708.000000006C894000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608351984.000000006C89B000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 00000008.00000002.3608451549.000000006C89D000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_8_2_6c880000_rundll32.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: EncodePointer
                                                                                                                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                                                                                                                          • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                                                          • Opcode ID: 7381ce0772155bdeb5c04674511e7b40be4f51b99a33493e4839600f2db02916
                                                                                                                                                                                                                                                          • Instruction ID: de8d65d1caa63ddeae02da8def6f12eea3792df06362dc1d0956282bedd715e2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7381ce0772155bdeb5c04674511e7b40be4f51b99a33493e4839600f2db02916
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23419F71A01109EFDF21CF98CE80AEE7BB5FF48308F144969F914A7A25D3359950DB60
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 00007FFD33AA7808 Relevance: .3, Instructions: 259COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2481611005.00007FFD33A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33A90000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_7ffd33a90000_powershell.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 025955163531bbfc4aedbfeb0042af9d99835170545ed72e2a935de98bf8bb6a
                                                                                                                                                                                                                                                          • Instruction ID: bc6b54949615c267428656dd0a0488066ef6c4da4f7ca2dc6ce85ccad7cc659d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 025955163531bbfc4aedbfeb0042af9d99835170545ed72e2a935de98bf8bb6a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE716E3170CD498FDBA8EA2DD4A4A7573D2EF99304714426CE09EC76D2CE65FC429744
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00007FFD33A9B585 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2481611005.00007FFD33A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33A90000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_7ffd33a90000_powershell.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8183a03a6a0542bdf92515ee5b946cbfd6816f746ee341f26b79b650e3ede959
                                                                                                                                                                                                                                                          • Instruction ID: 665b9c39cb8734db980969285fca165405482120ceec8f28cfb725264da327fc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8183a03a6a0542bdf92515ee5b946cbfd6816f746ee341f26b79b650e3ede959
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9251253160DB898FE749DF28C8A5A617BE1FF56310B1441EED18AC71A3EA29F846C741
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00007FFD33AA77C0 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2481611005.00007FFD33A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33A90000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_7ffd33a90000_powershell.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 6ef4e84b13b3e61809759d21ab92366ec598d87150cd68a2ab61e1c61d5989f7
                                                                                                                                                                                                                                                          • Instruction ID: 947a8fd882a78dbb586c6e0b319d65e1da1aac341819dd6d845632df271ad82d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ef4e84b13b3e61809759d21ab92366ec598d87150cd68a2ab61e1c61d5989f7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3331C263B1CE8E0FF7A8AA1D946577573C1EB68711F00057FE49ED72D2DC58A8468281
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00007FFD33B6569B Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2482603908.00007FFD33B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33B60000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_7ffd33b60000_powershell.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 8ad2d492cbb5983308c425f91efe78fd2e1dd83c3fc2873cd74cbafa6f901ecd
                                                                                                                                                                                                                                                          • Instruction ID: dfb43cf2f21c08ca6c4e4fe57e33c33d7dbc355bd08ae81434d07ff36723caf7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ad2d492cbb5983308c425f91efe78fd2e1dd83c3fc2873cd74cbafa6f901ecd
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F31A462A4EBC54FE7639B3888341A47FB0AF53220B1901FBD1DDCB0E3D9195829C752
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00007FFD33B6572D Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2482603908.00007FFD33B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33B60000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_7ffd33b60000_powershell.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 9c58f8c008a6ab5fa87b4a7b7beefc6b6c71fcd52b2a6d4cd3ecc71b32969fe5
                                                                                                                                                                                                                                                          • Instruction ID: e29d5779cab55c28794aa89d45dd46f93eda2f2e96c40a376116a362711c945f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9c58f8c008a6ab5fa87b4a7b7beefc6b6c71fcd52b2a6d4cd3ecc71b32969fe5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C121B662A0EBC54FD7639B7888351A17FB0AF5322071902FBC1D9CB1E3D91D6816D712
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00007FFD33A933B5 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2481611005.00007FFD33A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33A90000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_7ffd33a90000_powershell.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 89cf490454d7bf4db362622e3d2b8a85fcc481bc01f27d3ca7e3566b79ed4113
                                                                                                                                                                                                                                                          • Instruction ID: 03c51093876e96337521ce9d13fbc997aaba0e695358a8bf917f1c2c15836636
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89cf490454d7bf4db362622e3d2b8a85fcc481bc01f27d3ca7e3566b79ed4113
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1001677125CB0C4FDB44EF0CE451AA6B7E0FB99364F10056DE58AC3691DA36E882CB45
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00007FFD33A9B6C8 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 00000009.00000002.2481611005.00007FFD33A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD33A90000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_7ffd33a90000_powershell.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 7d6d267bd05ca7e8ae1768716f12bb06e0efb2296ea26ee5b0067a6207016ef1
                                                                                                                                                                                                                                                          • Instruction ID: 60feead8c9e93f5233e412bd67b59e6a7120a462bda13838aba8dfce85179ce3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d6d267bd05ca7e8ae1768716f12bb06e0efb2296ea26ee5b0067a6207016ef1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9F0303271C6088FDB5CAA1CF4529B573E1EB99320B10012EE58BC2296D926F8468A85
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                                                          Execution Coverage:3.4%
                                                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                                                          Total number of Nodes:487
                                                                                                                                                                                                                                                          Total number of Limit Nodes:22
                                                                                                                                                                                                                                                          execution_graph 10399 6d5f89 10402 6d5e27 10399->10402 10403 6d5e35 __fassign 10402->10403 10404 6d5e80 10403->10404 10407 6d5e8b 10403->10407 10406 6d5e8a 10413 6d9b02 GetPEB 10407->10413 10409 6d5e95 10410 6d5e9a GetPEB 10409->10410 10412 6d5eaa __fassign 10409->10412 10410->10412 10411 6d5ec2 ExitProcess 10412->10411 10414 6d9b1c __fassign 10413->10414 10414->10409 10415 6a7540 10416 6a7548 GetFileAttributesA 10415->10416 10417 6a7546 10415->10417 10418 6a7554 10416->10418 10417->10416 10419 6a7510 10420 6a7516 10419->10420 10426 6d6056 10420->10426 10423 6a7536 10425 6a7530 10433 6d5f9f 10426->10433 10428 6a7523 10428->10423 10429 6d60e4 10428->10429 10430 6d60f0 10429->10430 10432 6d60fa __cftof __dosmaperr 10430->10432 10449 6d606d 10430->10449 10432->10425 10434 6d5fab 10433->10434 10435 6d5fb2 __cftof __dosmaperr 10434->10435 10437 6d9b33 10434->10437 10435->10428 10438 6d9b3f 10437->10438 10441 6d9bd7 10438->10441 10440 6d9b5a 10440->10435 10444 6d9bfa 10441->10444 10443 6d9c40 ___free_lconv_mon 10443->10440 10444->10443 10445 6dcff0 10444->10445 10448 6dcffd __fassign 10445->10448 10446 6dd028 RtlAllocateHeap 10447 6dd03b __dosmaperr 10446->10447 10446->10448 10447->10443 10448->10446 10448->10447 10450 6d608f 10449->10450 10452 6d607a __cftof __dosmaperr ___free_lconv_mon 10449->10452 10450->10452 10453 6d9833 10450->10453 10452->10432 10454 6d9870 10453->10454 10455 6d984b 10453->10455 10454->10452 10455->10454 10457 6dfbf9 10455->10457 10458 6dfc05 10457->10458 10460 6dfc0d __cftof __dosmaperr 10458->10460 10461 6dfceb 10458->10461 10460->10454 10462 6dfd11 __cftof __dosmaperr 10461->10462 10463 6dfd0d 10461->10463 10462->10460 10463->10462 10465 6df480 10463->10465 10466 6df4cd 10465->10466 10472 6d6237 10466->10472 10469 6dbdeb 5 API calls __fassign 10471 6df4dc __cftof 10469->10471 10470 6df77c 10470->10462 10471->10469 10471->10470 10471->10471 10478 6dcbea 10471->10478 10473 6d6257 10472->10473 10477 6d624e 10472->10477 10473->10477 10482 6dadbc 10473->10482 10477->10471 10479 6dcbf5 10478->10479 10480 6dadbc __fassign 5 API calls 10479->10480 10481 6dcc05 10480->10481 10481->10471 10483 6dadcf 10482->10483 10484 6d628d 10482->10484 10483->10484 10490 6ded6c 10483->10490 10486 6dade9 10484->10486 10487 6dadfc 10486->10487 10488 6dae11 10486->10488 10487->10488 10503 6dde72 10487->10503 10488->10477 10491 6ded78 __fassign 10490->10491 10492 6dedc7 10491->10492 10495 6d83e9 10491->10495 10492->10484 10494 6dedec 10496 6d83ee __fassign 10495->10496 10497 6dcdf5 __fassign GetPEB ExitProcess GetPEB RtlAllocateHeap 10496->10497 10499 6d83f9 10496->10499 10497->10499 10498 6d5f4d __fassign GetPEB ExitProcess GetPEB 10502 6d842c __fassign 10498->10502 10499->10498 10500 6dd028 RtlAllocateHeap 10501 6dd03b __dosmaperr 10500->10501 10500->10502 10501->10494 10502->10500 10502->10501 10504 6dde7c 10503->10504 10507 6ddd8a 10504->10507 10506 6dde82 10506->10488 10510 6ddd96 __fassign ___free_lconv_mon 10507->10510 10508 6dddb7 10508->10506 10509 6d83e9 __fassign 5 API calls 10511 6dde29 10509->10511 10510->10508 10510->10509 10512 6da780 __fassign 5 API calls 10511->10512 10515 6dde65 10511->10515 10513 6dde56 10512->10513 10514 6ddc71 __fassign 5 API calls 10513->10514 10514->10515 10515->10506 10516 6aae60 10517 6ab1d8 shared_ptr 10516->10517 10518 6aaea3 shared_ptr 10516->10518 10518->10517 10519 6d6056 RtlAllocateHeap 10518->10519 10520 6ab1cb 10519->10520 10521 6d60e4 5 API calls 10520->10521 10521->10517 10522 6a5470 10524 6a54a8 shared_ptr 10522->10524 10523 6a558e shared_ptr 10524->10523 10531 6a21a0 10524->10531 10526 6a5822 shared_ptr 10527 6a5699 shared_ptr 10527->10526 10528 6a21a0 5 API calls 10527->10528 10529 6a5727 shared_ptr 10528->10529 10529->10526 10530 6a21a0 5 API calls 10529->10530 10530->10529 10534 6a2160 10531->10534 10535 6a2176 10534->10535 10538 6d8064 10535->10538 10541 6d6e53 10538->10541 10540 6a2184 10540->10527 10542 6d6e93 10541->10542 10546 6d6e7b __cftof __dosmaperr 10541->10546 10543 6d6237 __fassign 5 API calls 10542->10543 10542->10546 10544 6d6eab 10543->10544 10547 6d740e 10544->10547 10546->10540 10549 6d741f 10547->10549 10548 6d742e __cftof __dosmaperr 10548->10546 10549->10548 10554 6d79b2 10549->10554 10559 6d760c 10549->10559 10564 6d7632 10549->10564 10574 6d7780 10549->10574 10555 6d79bb 10554->10555 10556 6d79c2 10554->10556 10583 6d739a 10555->10583 10556->10549 10558 6d79c1 10558->10549 10560 6d761c 10559->10560 10561 6d7615 10559->10561 10560->10549 10562 6d739a 5 API calls 10561->10562 10563 6d761b 10562->10563 10563->10549 10565 6d7653 __cftof __dosmaperr 10564->10565 10566 6d7639 10564->10566 10565->10549 10566->10565 10567 6d77b3 10566->10567 10569 6d77ec 10566->10569 10571 6d77c1 10566->10571 10567->10571 10573 6d77d5 10567->10573 10607 6d7a8b 10567->10607 10569->10573 10603 6d7bda 10569->10603 10571->10573 10611 6d7f34 10571->10611 10573->10549 10575 6d7799 10574->10575 10576 6d77b3 10574->10576 10575->10576 10578 6d77ec 10575->10578 10581 6d77c1 10575->10581 10577 6d7a8b 5 API calls 10576->10577 10579 6d77d5 10576->10579 10576->10581 10577->10581 10578->10579 10580 6d7bda 5 API calls 10578->10580 10579->10549 10580->10581 10581->10579 10582 6d7f34 5 API calls 10581->10582 10582->10579 10584 6d73ac __dosmaperr 10583->10584 10587 6d8376 10584->10587 10586 6d73cf __dosmaperr 10586->10558 10588 6d8391 10587->10588 10591 6d80d4 10588->10591 10590 6d839b 10590->10586 10592 6d80e6 10591->10592 10593 6d6237 __fassign 5 API calls 10592->10593 10596 6d80fb __cftof __dosmaperr 10592->10596 10595 6d812b 10593->10595 10595->10596 10597 6d8322 10595->10597 10596->10590 10598 6d835f 10597->10598 10599 6d832f 10597->10599 10600 6dcbea GetPEB ExitProcess RtlAllocateHeap GetPEB RtlAllocateHeap 10598->10600 10601 6dcc0e GetPEB ExitProcess RtlAllocateHeap GetPEB RtlAllocateHeap 10599->10601 10602 6d833e __fassign 10599->10602 10600->10602 10601->10602 10602->10595 10604 6d7bf5 10603->10604 10605 6d7c27 10604->10605 10615 6dbf60 10604->10615 10605->10571 10608 6d7aa4 10607->10608 10622 6dca9a 10608->10622 10610 6d7b57 10610->10571 10612 6d7fa7 10611->10612 10613 6d7f51 10611->10613 10612->10573 10613->10612 10614 6dbf60 __cftof 5 API calls 10613->10614 10614->10613 10618 6dbe05 10615->10618 10617 6dbf78 10617->10605 10619 6dbe15 10618->10619 10620 6d6237 __fassign 5 API calls 10619->10620 10621 6dbe1a __cftof __dosmaperr 10619->10621 10620->10621 10621->10617 10625 6dcac0 10622->10625 10634 6dcaaa __cftof __dosmaperr 10622->10634 10623 6dcb57 10627 6dcbb6 10623->10627 10628 6dcb80 10623->10628 10624 6dcb5c 10635 6dc2b1 10624->10635 10625->10623 10625->10624 10625->10634 10652 6dc5ca 10627->10652 10629 6dcb9e 10628->10629 10630 6dcb85 10628->10630 10648 6dc7b4 10629->10648 10641 6dc910 10630->10641 10634->10610 10636 6dc2c3 10635->10636 10637 6d6237 __fassign 5 API calls 10636->10637 10638 6dc2d7 10637->10638 10639 6dc5ca 5 API calls 10638->10639 10640 6dc2df __alldvrm __cftof __dosmaperr _strrchr 10638->10640 10639->10640 10640->10634 10642 6dc93e 10641->10642 10643 6dc977 10642->10643 10644 6dc9b0 10642->10644 10646 6dc989 10642->10646 10643->10634 10659 6dc66c 10644->10659 10656 6dc83f 10646->10656 10649 6dc7e1 10648->10649 10650 6dc83f 5 API calls 10649->10650 10651 6dc820 10649->10651 10650->10651 10651->10634 10653 6dc5e2 10652->10653 10654 6dc647 10653->10654 10655 6dc66c 5 API calls 10653->10655 10654->10634 10655->10654 10657 6d6237 __fassign 5 API calls 10656->10657 10658 6dc855 10657->10658 10658->10643 10660 6dc67d 10659->10660 10661 6d6237 __fassign 5 API calls 10660->10661 10662 6dc68b __cftof __dosmaperr 10660->10662 10663 6dc6ac 10661->10663 10662->10643 10994 6ac990 recv 10995 6ac9f2 recv 10994->10995 10996 6aca27 recv 10995->10996 10997 6aca61 10996->10997 10998 6acb83 10997->10998 10999 6bc00c GetSystemTimePreciseAsFileTime 10997->10999 11000 6acbbe 10999->11000 11001 6bbbca 7 API calls 11000->11001 11002 6acc28 11001->11002 10672 6b8d40 10673 6b8d93 10672->10673 10674 6b8d55 10672->10674 10678 6bca76 10674->10678 10676 6b8d5f 10676->10673 10682 6bca2c 10676->10682 10680 6bca87 10678->10680 10679 6bca8f 10679->10676 10680->10679 10686 6bcafe 10680->10686 10683 6bca3c 10682->10683 10684 6bcae4 10683->10684 10685 6bcae0 RtlWakeAllConditionVariable 10683->10685 10684->10673 10685->10673 10687 6bcb0c SleepConditionVariableCS 10686->10687 10689 6bcb25 10686->10689 10687->10689 10689->10680 10690 6b8130 10691 6b818a 10690->10691 10697 6b9510 10691->10697 10695 6b8239 std::_Throw_future_error 10696 6b81cc 10710 6b9850 10697->10710 10699 6b9545 10714 6a2bc0 10699->10714 10701 6b9576 10723 6b98d0 10701->10723 10703 6b81b4 10703->10696 10704 6a42d0 10703->10704 10705 6bb83f InitOnceExecuteOnce 10704->10705 10706 6a42ea 10705->10706 10707 6a42f1 10706->10707 10708 6d65e8 6 API calls 10706->10708 10707->10695 10709 6a4304 10708->10709 10711 6b986c 10710->10711 10728 6bbfeb 10711->10728 10713 6b9877 10713->10699 10715 6a2bfd 10714->10715 10746 6bb83f 10715->10746 10717 6a2c26 10718 6a2c68 10717->10718 10720 6a2c31 10717->10720 10749 6bb857 10717->10749 10756 6a2320 10718->10756 10720->10701 10724 6b994f shared_ptr 10723->10724 10726 6b99b8 10724->10726 10864 6b9b70 10724->10864 10727 6b999b 10727->10703 10731 6bbd35 10728->10731 10730 6bbffb 10730->10713 10732 6bbd4b 10731->10732 10733 6bbd41 10731->10733 10732->10730 10734 6bbd1e 10733->10734 10735 6bbcfe 10733->10735 10744 6bc66a 10734->10744 10735->10732 10740 6bc635 10735->10740 10738 6bbd30 10738->10730 10741 6bbd17 10740->10741 10742 6bc643 InitializeCriticalSectionEx 10740->10742 10741->10730 10742->10741 10745 6bc67f RtlInitializeConditionVariable 10744->10745 10745->10738 10759 6bc591 10746->10759 10750 6bb863 std::_Xinvalid_argument 10749->10750 10751 6bb8ca 10750->10751 10752 6bb8d3 10750->10752 10763 6bb7df 10751->10763 10769 6a29c0 10752->10769 10755 6bb8cf 10755->10718 10859 6baf36 10756->10859 10758 6a2352 10760 6bc59f InitOnceExecuteOnce 10759->10760 10762 6bb852 10759->10762 10760->10762 10762->10717 10764 6bc591 InitOnceExecuteOnce 10763->10764 10765 6bb7f7 10764->10765 10766 6bb7fe 10765->10766 10783 6d65e8 10765->10783 10766->10755 10768 6bb807 10768->10755 10770 6bb83f InitOnceExecuteOnce 10769->10770 10773 6a29d4 10770->10773 10771 6a29df 10771->10755 10772 6d83e9 __fassign 5 API calls 10774 6d6623 10772->10774 10773->10771 10773->10772 10775 6d6640 10774->10775 10776 6d6632 10774->10776 10778 6d62ba 5 API calls 10775->10778 10777 6d6696 6 API calls 10776->10777 10779 6d663c 10777->10779 10780 6d665a 10778->10780 10779->10755 10781 6d6696 6 API calls 10780->10781 10782 6d666e ___free_lconv_mon 10780->10782 10781->10782 10782->10755 10785 6d65f4 10783->10785 10784 6d83e9 __fassign 5 API calls 10786 6d6623 10784->10786 10785->10784 10787 6d6640 10786->10787 10788 6d6632 10786->10788 10790 6d62ba 5 API calls 10787->10790 10795 6d6696 10788->10795 10792 6d665a 10790->10792 10791 6d663c 10791->10768 10793 6d6696 6 API calls 10792->10793 10794 6d666e ___free_lconv_mon 10792->10794 10793->10794 10794->10768 10797 6d66c1 10795->10797 10800 6d66a4 __cftof __dosmaperr 10795->10800 10796 6d66e7 __cftof __dosmaperr 10796->10791 10797->10796 10798 6d6735 10797->10798 10799 6d6727 10797->10799 10809 6d6774 10798->10809 10803 6d67fe 10799->10803 10800->10791 10804 6d6825 10803->10804 10805 6d6853 10804->10805 10808 6d6894 __dosmaperr 10804->10808 10817 6d6b74 10804->10817 10805->10808 10821 6d6ac6 10805->10821 10808->10796 10846 6d6d11 10809->10846 10811 6d6782 10812 6d6787 __dosmaperr 10811->10812 10813 6d6ac6 5 API calls 10811->10813 10812->10796 10814 6d67a0 10813->10814 10815 6d6b74 RtlAllocateHeap 10814->10815 10816 6d67bf 10815->10816 10816->10796 10818 6d6b8d 10817->10818 10820 6d6ba1 __dosmaperr 10818->10820 10831 6dae69 10818->10831 10820->10805 10822 6d6adc _wcsrchr 10821->10822 10825 6d6b53 10822->10825 10835 6db2e5 10822->10835 10824 6d6b20 10824->10825 10826 6db2e5 5 API calls 10824->10826 10825->10808 10827 6d6b31 10826->10827 10827->10825 10828 6db2e5 5 API calls 10827->10828 10829 6d6b42 10828->10829 10829->10825 10830 6db2e5 5 API calls 10829->10830 10830->10825 10832 6dae93 10831->10832 10833 6dcff0 RtlAllocateHeap 10832->10833 10834 6daeaf __dosmaperr ___free_lconv_mon 10832->10834 10833->10834 10834->10820 10836 6db2f3 10835->10836 10839 6db2f9 __cftof __dosmaperr 10836->10839 10840 6db32e 10836->10840 10838 6db329 10838->10824 10839->10824 10841 6db358 10840->10841 10844 6db33e __cftof __dosmaperr 10840->10844 10842 6d6237 __fassign 5 API calls 10841->10842 10841->10844 10845 6db382 10842->10845 10843 6db2a6 GetPEB ExitProcess RtlAllocateHeap GetPEB RtlAllocateHeap 10843->10845 10844->10838 10845->10843 10845->10844 10847 6d6d35 10846->10847 10849 6d6d3b 10847->10849 10850 6d6a33 10847->10850 10849->10811 10851 6d6a3f __dosmaperr 10850->10851 10856 6db17c 10851->10856 10853 6d6a65 10853->10849 10854 6d6a57 __dosmaperr 10854->10853 10855 6db17c RtlAllocateHeap 10854->10855 10855->10853 10857 6dafdf RtlAllocateHeap 10856->10857 10858 6db195 10857->10858 10858->10854 10861 6baf51 std::_Xinvalid_argument 10859->10861 10860 6d83e9 __fassign 5 API calls 10862 6bafff 10860->10862 10861->10860 10863 6bafb8 __fassign 10861->10863 10863->10758 10865 6b9bf0 10864->10865 10871 6b6ab0 10865->10871 10867 6b9c2c shared_ptr 10868 6b9e1e shared_ptr 10867->10868 10879 6a3dc0 10867->10879 10868->10727 10870 6b9e06 10870->10727 10872 6b6af1 10871->10872 10885 6a3850 10872->10885 10874 6b6d26 10874->10867 10875 6b6b8d 10875->10874 10876 6bbfeb __Mtx_init_in_situ 2 API calls 10875->10876 10877 6b6ce1 10876->10877 10890 6a2da0 10877->10890 10880 6a3e28 10879->10880 10881 6a3dfe 10879->10881 10882 6a3e38 10880->10882 10964 6a2ae0 10880->10964 10881->10870 10882->10870 10886 6bbfeb __Mtx_init_in_situ 2 API calls 10885->10886 10887 6a3887 10886->10887 10888 6bbfeb __Mtx_init_in_situ 2 API calls 10887->10888 10889 6a38c6 10888->10889 10889->10875 10891 6a2e5e GetCurrentThreadId 10890->10891 10892 6a2de6 10890->10892 10894 6a2ecf 10891->10894 10895 6a2e74 10891->10895 10928 6bc00c 10892->10928 10894->10874 10895->10894 10900 6bc00c GetSystemTimePreciseAsFileTime 10895->10900 10897 6a2efe 10931 6bbbca 10897->10931 10899 6a2f04 10901 6bbbca 7 API calls 10899->10901 10902 6a2e99 10900->10902 10901->10902 10905 6bbbca 7 API calls 10902->10905 10906 6a2ea0 __Mtx_unlock 10902->10906 10903 6a2dfd __Mtx_unlock 10903->10899 10904 6a2e4f 10903->10904 10904->10891 10904->10894 10905->10906 10907 6bbbca 7 API calls 10906->10907 10908 6a2eb8 __Cnd_broadcast 10906->10908 10907->10908 10908->10894 10909 6bbbca 7 API calls 10908->10909 10910 6a2f1c 10909->10910 10911 6bc00c GetSystemTimePreciseAsFileTime 10910->10911 10919 6a2f60 shared_ptr __Mtx_unlock 10911->10919 10912 6a30a5 10913 6bbbca 7 API calls 10912->10913 10914 6a30ab 10913->10914 10915 6bbbca 7 API calls 10914->10915 10916 6a30b1 10915->10916 10917 6bbbca 7 API calls 10916->10917 10925 6a3073 __Mtx_unlock 10917->10925 10918 6a3087 10918->10874 10919->10912 10919->10914 10919->10918 10921 6a3012 GetCurrentThreadId 10919->10921 10920 6bbbca 7 API calls 10922 6a30bd 10920->10922 10921->10918 10923 6a301b 10921->10923 10923->10918 10924 6bc00c GetSystemTimePreciseAsFileTime 10923->10924 10926 6a303f 10924->10926 10925->10918 10925->10920 10926->10912 10926->10916 10926->10925 10935 6bb6ac 10926->10935 10938 6bbdb2 10928->10938 10930 6a2df2 10930->10897 10930->10903 10932 6bbbf2 10931->10932 10933 6bbbd4 10931->10933 10932->10932 10933->10932 10955 6bbbf7 10933->10955 10958 6bb4d2 10935->10958 10937 6bb6bc 10937->10926 10939 6bbe08 10938->10939 10941 6bbdda 10938->10941 10939->10941 10944 6bc8cb 10939->10944 10941->10930 10942 6bbe5d __Xtime_diff_to_millis2 10942->10941 10943 6bc8cb _xtime_get GetSystemTimePreciseAsFileTime 10942->10943 10943->10942 10945 6bc8da 10944->10945 10947 6bc8e7 __aulldvrm 10944->10947 10945->10947 10948 6bc8a4 10945->10948 10947->10942 10951 6bc54a 10948->10951 10952 6bc55b GetSystemTimePreciseAsFileTime 10951->10952 10954 6bc567 10951->10954 10952->10954 10954->10947 10956 6a29c0 7 API calls 10955->10956 10957 6bbc0e std::_Xinvalid_argument 10956->10957 10957->10933 10959 6bb4fc 10958->10959 10960 6bc8cb _xtime_get GetSystemTimePreciseAsFileTime 10959->10960 10963 6bb504 __Xtime_diff_to_millis2 10959->10963 10961 6bb52f __Xtime_diff_to_millis2 10960->10961 10962 6bc8cb _xtime_get GetSystemTimePreciseAsFileTime 10961->10962 10961->10963 10962->10963 10963->10937 10965 6a2aee 10964->10965 10971 6bb1a7 10965->10971 10967 6a2b22 10968 6a2b29 10967->10968 10977 6a2b60 10967->10977 10968->10870 10970 6a2b38 std::_Xinvalid_argument 10972 6bb1b4 10971->10972 10976 6bb1d3 Concurrency::details::_Reschedule_chore 10971->10976 10980 6bc4d7 10972->10980 10974 6bb1c4 10974->10976 10982 6bb17e 10974->10982 10976->10967 10988 6bb15b 10977->10988 10979 6a2b92 shared_ptr 10979->10970 10981 6bc4f2 CreateThreadpoolWork 10980->10981 10981->10974 10983 6bb187 Concurrency::details::_Reschedule_chore 10982->10983 10986 6bc72c 10983->10986 10985 6bb1a1 10985->10976 10987 6bc741 TpPostWork 10986->10987 10987->10985 10989 6bb167 10988->10989 10990 6bb177 10988->10990 10989->10990 10992 6bc3d8 10989->10992 10990->10979 10993 6bc3ed TpReleaseWork 10992->10993 10993->10990 10664 6d6371 10665 6d637f 10664->10665 10666 6d6389 10664->10666 10669 6d62ba 10666->10669 10668 6d63a3 ___free_lconv_mon 10670 6d6237 __fassign 5 API calls 10669->10670 10671 6d62cc 10670->10671 10671->10668

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 006D5E8B Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 551 6d5e8b-6d5e98 call 6d9b02 554 6d5eba-6d5ecc call 6d5ecd ExitProcess 551->554 555 6d5e9a-6d5ea8 GetPEB 551->555 555->554 556 6d5eaa-6d5eb9 555->556 556->554
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ExitProcess.KERNEL32(00000000,?,006D5E8A,?,?,00000000,?), ref: 006D5EC7
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ExitProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 621844428-0
                                                                                                                                                                                                                                                          • Opcode ID: c345f45791ed141ac9deb722970fe15ff0e37b7f161863e2c94d36983ebbbc10
                                                                                                                                                                                                                                                          • Instruction ID: 3429e436cb2cbb90f4882ffe9650386dade1a91b94a67682d95ec5f570235aa3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c345f45791ed141ac9deb722970fe15ff0e37b7f161863e2c94d36983ebbbc10
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43E08C30901A48AFCF357B16D91DE9F3B1BEB52352F514806FC0946722CB35EE41C680
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006A52E0 Relevance: 4.6, APIs: 3, Instructions: 134registryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000001,?), ref: 006A535D
                                                                                                                                                                                                                                                          • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,?), ref: 006A538B
                                                                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?), ref: 006A5397
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3677997916-0
                                                                                                                                                                                                                                                          • Opcode ID: 2d14fd47535ab3f15039823df6be582ad0a3be1765a2ab984d244bef41b460a9
                                                                                                                                                                                                                                                          • Instruction ID: ce37bad5b3ed9606a006a7a746b634dfd4b3096baadc6e81dd3a385075ce326e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d14fd47535ab3f15039823df6be582ad0a3be1765a2ab984d244bef41b460a9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9441C4B16005189BEB24DF14CC45BEE77BAEF45304F1081ADF515972C1E7759AC48FA4
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006A9C90 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 560COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 26 6a9c90-6a9d00 call 50a00ff 28 6a9d07-6a9d0c 26->28 28->28 29 6a9d0e-6a9ebf call 6b7a20 call 6b7e70 * 2 call 6b7360 call 6b7e70 * 3 CoInitialize 28->29 44 6a9eea 29->44 45 6a9ec1-6a9ede 29->45 46 6a9eec-6a9ef5 44->46 50 6aa270-6aa290 45->50 51 6a9ee4 45->51 48 6a9f2c-6a9f52 46->48 49 6a9ef7-6a9f0c 46->49 54 6a9f89-6a9faf 48->54 55 6a9f54-6a9f69 48->55 52 6a9f0e-6a9f1c 49->52 53 6a9f22-6a9f29 call 6bcfc8 49->53 75 6aa33b-6aa49a call 6d3a50 50->75 76 6aa296-6aa29b 50->76 51->44 52->53 60 6aa4d2-6aa4d7 call 6d6597 52->60 53->48 58 6a9fb1-6a9fc6 54->58 59 6a9fe6-6aa00c 54->59 56 6a9f6b-6a9f79 55->56 57 6a9f7f-6a9f86 call 6bcfc8 55->57 56->57 56->60 57->54 64 6a9fc8-6a9fd6 58->64 65 6a9fdc-6a9fe3 call 6bcfc8 58->65 67 6aa00e-6aa01d 59->67 68 6aa03d-6aa061 59->68 64->60 64->65 65->59 77 6aa01f-6aa02d 67->77 78 6aa033-6aa03a call 6bcfc8 67->78 70 6aa098-6aa0be 68->70 71 6aa063-6aa078 68->71 81 6aa0c0-6aa0d5 70->81 82 6aa0f5-6aa11b 70->82 79 6aa07a-6aa088 71->79 80 6aa08e-6aa095 call 6bcfc8 71->80 156 6aa4a0-6aa4a5 75->156 76->44 84 6aa2a1-6aa2b0 76->84 77->60 77->78 78->68 79->60 79->80 80->70 88 6aa0eb-6aa0f2 call 6bcfc8 81->88 89 6aa0d7-6aa0e5 81->89 90 6aa14c-6aa16d 82->90 91 6aa11d-6aa12c 82->91 107 6aa2c9-6aa329 call 6b7360 * 4 call 6a9c90 84->107 108 6aa2b2-6aa2c4 84->108 88->82 89->60 89->88 93 6aa19b-6aa1b3 90->93 94 6aa16f-6aa17b 90->94 97 6aa12e-6aa13c 91->97 98 6aa142-6aa149 call 6bcfc8 91->98 104 6aa1e1-6aa1f9 93->104 105 6aa1b5-6aa1c1 93->105 101 6aa17d-6aa18b 94->101 102 6aa191-6aa198 call 6bcfc8 94->102 97->60 97->98 98->90 101->60 101->102 102->93 113 6aa1fb-6aa207 104->113 114 6aa227-6aa23f 104->114 111 6aa1c3-6aa1d1 105->111 112 6aa1d7-6aa1de call 6bcfc8 105->112 149 6aa32e-6aa336 107->149 108->44 111->60 111->112 112->104 115 6aa209-6aa217 113->115 116 6aa21d-6aa224 call 6bcfc8 113->116 118 6aa4b4-6aa4d1 call 6bc951 114->118 119 6aa245-6aa251 114->119 115->60 115->116 116->114 126 6aa4aa-6aa4b1 call 6bcfc8 119->126 127 6aa257-6aa265 119->127 126->118 127->60 133 6aa26b 127->133 133->126 149->46 156->46
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CoInitialize.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006A9EB7
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Initialize
                                                                                                                                                                                                                                                          • String ID: @3P
                                                                                                                                                                                                                                                          • API String ID: 2538663250-282812438
                                                                                                                                                                                                                                                          • Opcode ID: e5ad814fd4ab49b35cdc3f0dc435878066e414f5b9b65bdbd5631799dd25814e
                                                                                                                                                                                                                                                          • Instruction ID: a1cf652248568e76a4ac09ebfa7866795a174e0336f5b82ef450de7558ebbcb4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5ad814fd4ab49b35cdc3f0dc435878066e414f5b9b65bdbd5631799dd25814e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0326C71A002189FDB18DF28CC99BDDB7B6AF4A304F5081D9E409AB291D7759EC4CF91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006A6B70 Relevance: 2.1, APIs: 1, Instructions: 551COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 257 6a6b70-6a6bf2 call 6d3a50 261 6a70da-6a70f7 call 6bc951 257->261 262 6a6bf8-6a6c20 call 6b7360 call 6a5190 257->262 269 6a6c22 262->269 270 6a6c24-6a6c46 call 6b7360 call 6a5190 262->270 269->270 275 6a6c4a-6a6c63 270->275 276 6a6c48 270->276 279 6a6c94-6a6cbf 275->279 280 6a6c65-6a6c74 275->280 276->275 283 6a6cf0-6a6d11 279->283 284 6a6cc1-6a6cd0 279->284 281 6a6c8a-6a6c91 call 6bcfc8 280->281 282 6a6c76-6a6c84 280->282 281->279 282->281 285 6a70f8 call 6d6597 282->285 289 6a6d13-6a6d15 GetNativeSystemInfo 283->289 290 6a6d17-6a6d1c 283->290 287 6a6cd2-6a6ce0 284->287 288 6a6ce6-6a6ced call 6bcfc8 284->288 298 6a70fd-6a7191 call 6d6597 call 6d3a50 285->298 287->285 287->288 288->283 294 6a6d1d-6a6d26 289->294 290->294 296 6a6d28-6a6d2f 294->296 297 6a6d44-6a6d47 294->297 300 6a70d5 296->300 301 6a6d35-6a6d3f 296->301 302 6a707b-6a707e 297->302 303 6a6d4d-6a6d56 297->303 333 6a719d-6a71c5 call 6b7360 call 6a5190 298->333 334 6a7193-6a7198 298->334 300->261 305 6a70d0 301->305 302->300 308 6a7080-6a7089 302->308 306 6a6d58-6a6d64 303->306 307 6a6d69-6a6d6c 303->307 305->300 306->305 310 6a7058-6a705a 307->310 311 6a6d72-6a6d79 307->311 312 6a708b-6a708f 308->312 313 6a70b0-6a70b3 308->313 315 6a7068-6a706b 310->315 316 6a705c-6a7066 310->316 317 6a6d7f-6a6dd6 call 6b7360 call 6a5190 call 6b7360 call 6a5190 call 6a52e0 311->317 318 6a6e54-6a7041 call 6b7360 call 6a5190 call 6b7360 call 6a5190 call 6a52e0 call 6b7360 call 6a5190 call 6a4cb0 call 6b7360 call 6a5190 call 6b7360 call 6a5190 call 6a52e0 call 6b7360 call 6a5190 call 6a4cb0 call 6b7360 call 6a5190 call 6b7360 call 6a5190 call 6a52e0 call 6b7360 call 6a5190 call 6a4cb0 311->318 319 6a7091-6a7096 312->319 320 6a70a4-6a70ae 312->320 322 6a70c1-6a70cd 313->322 323 6a70b5-6a70bf 313->323 315->300 325 6a706d-6a7079 315->325 316->305 357 6a6ddb-6a6de2 317->357 377 6a7047-6a7050 318->377 319->320 327 6a7098-6a70a2 319->327 320->300 322->305 323->300 325->305 327->300 351 6a71c9-6a71eb call 6b7360 call 6a5190 333->351 352 6a71c7 333->352 338 6a72df-6a72fb call 6bc951 334->338 368 6a71ef-6a7208 351->368 369 6a71ed 351->369 352->351 360 6a6de6-6a6e06 call 6d83bb 357->360 361 6a6de4 357->361 371 6a6e08-6a6e17 360->371 372 6a6e3d-6a6e3f 360->372 361->360 386 6a720a-6a7219 368->386 387 6a7239-6a7264 368->387 369->368 374 6a6e19-6a6e27 371->374 375 6a6e2d-6a6e3a call 6bcfc8 371->375 372->377 378 6a6e45-6a6e4f 372->378 374->298 374->375 375->372 377->302 381 6a7052 377->381 378->377 381->310 389 6a721b-6a7229 386->389 390 6a722f-6a7236 call 6bcfc8 386->390 392 6a7291-6a72b2 387->392 393 6a7266-6a7275 387->393 389->390 394 6a72fc-6a7301 call 6d6597 389->394 390->387 399 6a72b8-6a72bd 392->399 400 6a72b4-6a72b6 392->400 397 6a7287-6a728e call 6bcfc8 393->397 398 6a7277-6a7285 393->398 397->392 398->394 398->397 410 6a72be-6a72c5 399->410 400->410 410->338 412 6a72c7-6a72cf 410->412 414 6a72d8-6a72db 412->414 415 6a72d1-6a72d6 412->415 414->338 417 6a72dd 414->417 415->338 417->338
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006A6D13
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InfoNativeSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1721193555-0
                                                                                                                                                                                                                                                          • Opcode ID: 1c4b6a0a3cd2ea8193cf0cf372746a1e43c804ce16c10618188e179cad5bb257
                                                                                                                                                                                                                                                          • Instruction ID: 9f7ec362f8b6622f617bbaf2645d6dead69a22dc2e0647032970b6200a5034f1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1c4b6a0a3cd2ea8193cf0cf372746a1e43c804ce16c10618188e179cad5bb257
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9712F6B1E042449BDB14FB68CC467ED7BB6AB42310F94429CE815A73C2EB355E808F96
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006DCDF5 Relevance: 1.7, APIs: 1, Instructions: 198COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 441 6dcdf5-6dce16 call 6bd8f0 444 6dce18 441->444 445 6dce30-6dce33 441->445 446 6dce4f-6dce5b call 6da81a 444->446 448 6dce1a-6dce20 444->448 445->446 447 6dce35-6dce38 445->447 459 6dce5d-6dce60 446->459 460 6dce65-6dce71 call 6dcd7f 446->460 449 6dce3a-6dce3d 447->449 450 6dce44-6dce4d call 6dcd3d 447->450 448->450 452 6dce22-6dce26 448->452 453 6dce3f-6dce42 449->453 454 6dce73-6dce83 call 6d6e40 call 6d6587 449->454 464 6dce8d-6dce96 450->464 452->446 457 6dce28-6dce2c 452->457 453->450 453->454 454->459 457->454 462 6dce2e 457->462 465 6dcfcc-6dcfdb 459->465 460->454 475 6dce85-6dce8a 460->475 462->450 468 6dce98-6dcea0 call 6d85c5 464->468 469 6dcea3-6dceb4 464->469 468->469 473 6dceca 469->473 474 6dceb6-6dcec8 469->474 477 6dcecc-6dcedd 473->477 474->477 475->464 478 6dcedf-6dcee1 477->478 479 6dcf4b-6dcf5b call 6dcf88 477->479 481 6dcfdc-6dcfde 478->481 482 6dcee7-6dcee9 478->482 492 6dcf5d-6dcf5f 479->492 493 6dcfca 479->493 483 6dcfe8-6dcffb call 6d5f4d 481->483 484 6dcfe0-6dcfe7 call 6d860d 481->484 486 6dceeb-6dceee 482->486 487 6dcef5-6dcf01 482->487 509 6dcffd-6dd007 483->509 510 6dd009-6dd00f 483->510 484->483 486->487 494 6dcef0-6dcef3 486->494 488 6dcf41-6dcf49 487->488 489 6dcf03-6dcf18 call 6dcdec * 2 487->489 488->479 495 6dcf1b-6dcf1d 489->495 499 6dcf9a-6dcfa3 492->499 500 6dcf61-6dcf77 call 6da6c3 492->500 493->465 494->487 494->495 495->488 503 6dcf1f-6dcf2f 495->503 517 6dcfa6-6dcfa9 499->517 500->517 507 6dcf31-6dcf36 503->507 507->479 512 6dcf38-6dcf3f 507->512 509->510 513 6dd03d-6dd048 call 6d6e40 509->513 514 6dd028-6dd039 RtlAllocateHeap 510->514 515 6dd011-6dd012 510->515 512->507 521 6dd04a-6dd04c 513->521 519 6dd03b 514->519 520 6dd014-6dd01b call 6d95bb 514->520 515->514 523 6dcfab-6dcfae 517->523 524 6dcfb5-6dcfbd 517->524 519->521 520->513 530 6dd01d-6dd026 call 6d8633 520->530 523->524 528 6dcfb0-6dcfb3 523->528 524->493 529 6dcfbf-6dcfc7 call 6da6c3 524->529 528->493 528->524 529->493 530->513 530->514
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 03f9571e0b1ba4f205e6915814ec8696a68c302d7c2ed058d76d1edf962eef74
                                                                                                                                                                                                                                                          • Instruction ID: ebc2ce49fbbb43613894015f5fa73d0fb042fa5bd6df0db52a43ae3fd28a66e1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 03f9571e0b1ba4f205e6915814ec8696a68c302d7c2ed058d76d1edf962eef74
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C261E172D0421A8FDF25AFA8D8856EDBBB3AF59330F24415BE455AB391D7308C01CB95
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006DCFF0 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 535 6dcff0-6dcffb 536 6dcffd-6dd007 535->536 537 6dd009-6dd00f 535->537 536->537 538 6dd03d-6dd048 call 6d6e40 536->538 539 6dd028-6dd039 RtlAllocateHeap 537->539 540 6dd011-6dd012 537->540 544 6dd04a-6dd04c 538->544 542 6dd03b 539->542 543 6dd014-6dd01b call 6d95bb 539->543 540->539 542->544 543->538 548 6dd01d-6dd026 call 6d8633 543->548 548->538 548->539
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00000003,006DA77F,?,?,006D6277,?,00000000,?,?,006D6EAB,?,00000000), ref: 006DD032
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                                          • Opcode ID: a1301fa0959897ca9a9548897660399d01d6852d7bad1a2d0c939de0535fced5
                                                                                                                                                                                                                                                          • Instruction ID: 37dc657cca23a3c7133a01b6b26bef5fc283b757085f9faab8baab268e61557b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a1301fa0959897ca9a9548897660399d01d6852d7bad1a2d0c939de0535fced5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0F0BE35E01224669A317E26D801FAB375B9BC57B0F188023B81896380CA60EC0346F4
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006A7540 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 561 6a7540-6a7544 562 6a7548-6a7552 GetFileAttributesA 561->562 563 6a7546 561->563 564 6a755b-6a755d 562->564 565 6a7554-6a7556 562->565 563->562 565->564 566 6a7558-6a755a 565->566
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(?,006AC434), ref: 006A7549
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                                                                          • Opcode ID: db9f004f50a8868816ad98d85c937944b9217b3e1118c66fdd017bb939a7c0b1
                                                                                                                                                                                                                                                          • Instruction ID: e810494b5c5e9caa8fb21a5ffabf2b5e5e6a68fbc42f18899df1678c7784e0f5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db9f004f50a8868816ad98d85c937944b9217b3e1118c66fdd017bb939a7c0b1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BC0803051570055ED1C6A3C699C0E9331359433A47F427CCC0354B1E1CA36DC07DE50
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 050A00FF Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 659 50a00ff-50a011e
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2501732724.00000000050A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050A0000, based on PE: false
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_50a0000_amert.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: b7edf0fa11b630f69c19f25cf7324f6f42f29489152bc23bf0fe7a744168fab3
                                                                                                                                                                                                                                                          • Instruction ID: 3e13e6acc5df079f3782c0f9a2df29cd7a9f0fdfab6eb18bfae468fa4a939edf
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b7edf0fa11b630f69c19f25cf7324f6f42f29489152bc23bf0fe7a744168fab3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6C08CAB0802111A810364C2A20007B7AA2AA931333B144F7F203C324394D10158F661
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                                          Function 006A2DA0 Relevance: 10.8, APIs: 7, Instructions: 272threadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Mtx_unlock$CurrentThread$Cnd_broadcast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 57040152-0
                                                                                                                                                                                                                                                          • Opcode ID: 96fd2f9971e289bac5896d6fcb6ef4a160ab5868a7dfa8ceffd896973bd25e3f
                                                                                                                                                                                                                                                          • Instruction ID: 57227fbd9c6d41f92fbc77af1435051db5845549e4821d9d5e06a66a10e10e4f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 96fd2f9971e289bac5896d6fcb6ef4a160ab5868a7dfa8ceffd896973bd25e3f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ADA1CFB0941216AFDB20EF68C944BEAB7AABF16314F04412DE815D7341EB75EE84CB91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006D6AC6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _wcsrchr
                                                                                                                                                                                                                                                          • String ID: .bat$.cmd$.com$.exe
                                                                                                                                                                                                                                                          • API String ID: 1752292252-4019086052
                                                                                                                                                                                                                                                          • Opcode ID: ebefd33a4cb17934c472b547c85829478f4e7e4659ae8718e70011a1811ba45c
                                                                                                                                                                                                                                                          • Instruction ID: 1f97dee25c6b79383e58dd0203b358ec4f89548d2696e52e2a57e3819355e3fd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ebefd33a4cb17934c472b547c85829478f4e7e4659ae8718e70011a1811ba45c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE01843BE1462566A714612ADC02BFB57AB8B92BB0727002FFD44FB3C1EF55DC1241A9
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006A2590 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 207COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ___std_exception_copy.LIBVCRUNTIME ref: 006A2726
                                                                                                                                                                                                                                                          • ___std_exception_destroy.LIBVCRUNTIME ref: 006A27C0
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ___std_exception_copy___std_exception_destroy
                                                                                                                                                                                                                                                          • String ID: p"j$p"j
                                                                                                                                                                                                                                                          • API String ID: 2970364248-2576767707
                                                                                                                                                                                                                                                          • Opcode ID: bfe3d2e18bcb0f2c6a26a1ceb9dbc0e2fa4e32da018b0c04427527325991fc10
                                                                                                                                                                                                                                                          • Instruction ID: 0832358d20f7492a3ff8fb40f0f82d7b92e3c0eee934bf3d5c8a21c320c5ab59
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bfe3d2e18bcb0f2c6a26a1ceb9dbc0e2fa4e32da018b0c04427527325991fc10
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 627191B1E002499FDB04DFA8C891BDDFBB6EF59310F14816DE805A7381D774AA84CBA5
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006B7360 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __Cnd_unregister_at_thread_exit.LIBCPMT ref: 006B744C
                                                                                                                                                                                                                                                          • __Cnd_destroy_in_situ.LIBCPMT ref: 006B7458
                                                                                                                                                                                                                                                          • __Mtx_destroy_in_situ.LIBCPMT ref: 006B7461
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
                                                                                                                                                                                                                                                          • String ID: 0tk
                                                                                                                                                                                                                                                          • API String ID: 4078500453-1243166880
                                                                                                                                                                                                                                                          • Opcode ID: 60742ddd45f77245275e048edab81819e6d8096417d22e969af6e8aea5852fde
                                                                                                                                                                                                                                                          • Instruction ID: 44aa63d69cc4a257edbc84ce91d7736aebc45e12017522593a59f12bdd78aadb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60742ddd45f77245275e048edab81819e6d8096417d22e969af6e8aea5852fde
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E731E3F1A047049FD720DF68D841ADABBE9EF44310F100A7EE945C7641E771EA94C7A5
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006B9370 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __Cnd_unregister_at_thread_exit.LIBCPMT ref: 006B93AF
                                                                                                                                                                                                                                                          • __Cnd_destroy_in_situ.LIBCPMT ref: 006B93BB
                                                                                                                                                                                                                                                          • __Mtx_destroy_in_situ.LIBCPMT ref: 006B93C4
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Cnd_destroy_in_situCnd_unregister_at_thread_exitMtx_destroy_in_situ
                                                                                                                                                                                                                                                          • String ID: 0tk
                                                                                                                                                                                                                                                          • API String ID: 4078500453-1243166880
                                                                                                                                                                                                                                                          • Opcode ID: 4391dba197af9bdc9b00e43d00a9e7fd0c97b3240ea50530b091ba0efa2baa31
                                                                                                                                                                                                                                                          • Instruction ID: 6ca837478713f155354e89ef76dea14981bf4a92b85416c591448d0eec3b90ee
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4391dba197af9bdc9b00e43d00a9e7fd0c97b3240ea50530b091ba0efa2baa31
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22F04FF2900B009BCA24DFA0E449BDB73EAAF44300F04091EE696C7A51D774F6C8CB61
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006DC2B1 Relevance: 6.3, APIs: 4, Instructions: 320COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _strrchr
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3213747228-0
                                                                                                                                                                                                                                                          • Opcode ID: c2189248270ea340cbd842f54171ce7f18cb959cd5409b5c13150a41ec3c7c18
                                                                                                                                                                                                                                                          • Instruction ID: 9ec50f0e03aa77f4067f0011a1fbf39691e2d27299154dad66cf663b51951b94
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c2189248270ea340cbd842f54171ce7f18cb959cd5409b5c13150a41ec3c7c18
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8DB11332D0429A9FDB118F68C8517FEBBE7EF55320F2581ABE8459B341D6349D02CBA0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006BB4D2 Relevance: 6.1, APIs: 4, Instructions: 80COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Xtime_diff_to_millis2_xtime_get
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 531285432-0
                                                                                                                                                                                                                                                          • Opcode ID: 31dee0abd9a71597665e524f765850ed56d9e892431312d98c9daee461f74328
                                                                                                                                                                                                                                                          • Instruction ID: 39653120feb7086f6c9cce38f3fcd608591a5050532a972148e56e4d5bbcb7dd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31dee0abd9a71597665e524f765850ed56d9e892431312d98c9daee461f74328
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F2165B69006199FDF10EF94CC819FEBBB9EF48710F000029F601B7251D7759E818B95
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006B6AB0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 236COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __Mtx_init_in_situ.LIBCPMT ref: 006B6CDC
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Mtx_init_in_situ
                                                                                                                                                                                                                                                          • String ID: Puk$`-j
                                                                                                                                                                                                                                                          • API String ID: 3366076730-3783183623
                                                                                                                                                                                                                                                          • Opcode ID: 15e75a10323db88a393258b991638dbe0bdf2fec647d0bd80922f6a227359f3f
                                                                                                                                                                                                                                                          • Instruction ID: 6ee76eb102edcd6d49ac9aa8b0d207d06aff66ad81da5a59d921415778039f1a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15e75a10323db88a393258b991638dbe0bdf2fec647d0bd80922f6a227359f3f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BA138B4A017198FDB21CF68C9847AEBBF1EF48710F198159E809AB351E7799D41CF80
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006B88A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: p"j$p"j
                                                                                                                                                                                                                                                          • API String ID: 0-2576767707
                                                                                                                                                                                                                                                          • Opcode ID: 18f43098ea1f7ff6e030651b1b0a3f04c0d28bead8b9ee16fe041bbc02f7990e
                                                                                                                                                                                                                                                          • Instruction ID: 4ac8d1b9e35279037b42dad615146f91b22a63f4c2aeb72a0c30992540c1ca47
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18f43098ea1f7ff6e030651b1b0a3f04c0d28bead8b9ee16fe041bbc02f7990e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2051F3B2A002199FCF14EF6CD8419EE77AAEF44310B10467AE915EB341DA30EE90C795
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006A2360 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ___std_exception_copy.LIBVCRUNTIME ref: 006A239E
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ___std_exception_copy
                                                                                                                                                                                                                                                          • String ID: p"j$p"j
                                                                                                                                                                                                                                                          • API String ID: 2659868963-2576767707
                                                                                                                                                                                                                                                          • Opcode ID: e350a5ad1d3153a4132b0fd3fa6d77f5e14ed59cf09c5e6afe2ea9fc1b7d7230
                                                                                                                                                                                                                                                          • Instruction ID: 484828320afcf7509c1487e26d49b02020d6937dc150d1ffe76cc80d25038daa
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e350a5ad1d3153a4132b0fd3fa6d77f5e14ed59cf09c5e6afe2ea9fc1b7d7230
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EFF0A0B2C1031C6BC714EFE9D842986BBADDE11300B50893AF614E7641F670F64887D5
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 006A2440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ___std_exception_copy.LIBVCRUNTIME ref: 006A2472
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000B.00000002.2470234550.00000000006A1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 006A0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2469465779.00000000006A0000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2470234550.0000000000701000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2475547681.0000000000706000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000708000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.000000000088A000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000965000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000991000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.0000000000998000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2476650601.00000000009A7000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2481834170.00000000009A8000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482405481.0000000000B3B000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000B.00000002.2482540811.0000000000B3D000.00000080.00000001.01000000.0000000B.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_6a0000_amert.jbxd
                                                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ___std_exception_copy
                                                                                                                                                                                                                                                          • String ID: p"j$p"j
                                                                                                                                                                                                                                                          • API String ID: 2659868963-2576767707
                                                                                                                                                                                                                                                          • Opcode ID: b4b597da0a5c5d4be70739190978d2a5152a7c2fe50b8e6e231777243332b07d
                                                                                                                                                                                                                                                          • Instruction ID: d41cff3151611d6ba5033481a7e3d128a7455af70c56c75c26433d7eff2cc75f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4b597da0a5c5d4be70739190978d2a5152a7c2fe50b8e6e231777243332b07d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85F08271D1120DEBC714DF69D8419DEBBF5AF55300F1082AEE444A7340EB705B948B99
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                                          Function 008D42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 234 8d42de-8d434d call 8da961 GetVersionExW call 8d6b57 239 913617-91362a 234->239 240 8d4353 234->240 242 91362b-91362f 239->242 241 8d4355-8d4357 240->241 243 8d435d-8d43bc call 8d93b2 call 8d37a0 241->243 244 913656 241->244 245 913631 242->245 246 913632-91363e 242->246 263 9137df-9137e6 243->263 264 8d43c2-8d43c4 243->264 249 91365d-913660 244->249 245->246 246->242 248 913640-913642 246->248 248->241 251 913648-91364f 248->251 252 8d441b-8d4435 GetCurrentProcess IsWow64Process 249->252 253 913666-9136a8 249->253 251->239 255 913651 251->255 258 8d4494-8d449a 252->258 259 8d4437 252->259 253->252 256 9136ae-9136b1 253->256 255->244 261 9136b3-9136bd 256->261 262 9136db-9136e5 256->262 260 8d443d-8d4449 258->260 259->260 265 8d444f-8d445e LoadLibraryA 260->265 266 913824-913828 GetSystemInfo 260->266 267 9136ca-9136d6 261->267 268 9136bf-9136c5 261->268 270 9136e7-9136f3 262->270 271 9136f8-913702 262->271 272 913806-913809 263->272 273 9137e8 263->273 264->249 269 8d43ca-8d43dd 264->269 274 8d449c-8d44a6 GetSystemInfo 265->274 275 8d4460-8d446e GetProcAddress 265->275 267->252 268->252 276 913726-91372f 269->276 277 8d43e3-8d43e5 269->277 270->252 279 913715-913721 271->279 280 913704-913710 271->280 281 9137f4-9137fc 272->281 282 91380b-91381a 272->282 278 9137ee 273->278 285 8d4476-8d4478 274->285 275->274 284 8d4470-8d4474 GetNativeSystemInfo 275->284 288 913731-913737 276->288 289 91373c-913748 276->289 286 8d43eb-8d43ee 277->286 287 91374d-913762 277->287 278->281 279->252 280->252 281->272 282->278 283 91381c-913822 282->283 283->281 284->285 292 8d447a-8d447b FreeLibrary 285->292 293 8d4481-8d4493 285->293 294 913791-913794 286->294 295 8d43f4-8d440f 286->295 290 913764-91376a 287->290 291 91376f-91377b 287->291 288->252 289->252 290->252 291->252 292->293 294->252 296 91379a-9137c1 294->296 297 913780-91378c 295->297 298 8d4415 295->298 299 9137c3-9137c9 296->299 300 9137ce-9137da 296->300 297->252 298->252 299->252 300->252
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetVersionExW.KERNEL32(?), ref: 008D430D
                                                                                                                                                                                                                                                            • Part of subcall function 008D6B57: _wcslen.LIBCMT ref: 008D6B6A
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,0096CB64,00000000,?,?), ref: 008D4422
                                                                                                                                                                                                                                                          • IsWow64Process.KERNEL32(00000000,?,?), ref: 008D4429
                                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 008D4454
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 008D4466
                                                                                                                                                                                                                                                          • GetNativeSystemInfo.KERNEL32(?,?,?), ref: 008D4474
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 008D447B
                                                                                                                                                                                                                                                          • GetSystemInfo.KERNEL32(?,?,?), ref: 008D44A0
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                                                                                                                                                                          • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                                                                                                                                                                                                          • API String ID: 3290436268-3101561225
                                                                                                                                                                                                                                                          • Opcode ID: 64c9ebf4c71618faefa4465e0028876133a38f852953e2a6ce5a2e1146f9e378
                                                                                                                                                                                                                                                          • Instruction ID: a8b8c5ec475c8d7d5011142bf4cfd5e74b8fdcdee39ea478ca9d9fac00ac2b40
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 64c9ebf4c71618faefa4465e0028876133a38f852953e2a6ce5a2e1146f9e378
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0CA1F36192E2C4DFCF11CF697C411E83FA9BF23344F08999AE08193B21DE304588EBA5
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 638 8d42a2-8d42ba CreateStreamOnHGlobal 639 8d42bc-8d42d3 FindResourceExW 638->639 640 8d42da-8d42dd 638->640 641 8d42d9 639->641 642 9135ba-9135c9 LoadResource 639->642 641->640 642->641 643 9135cf-9135dd SizeofResource 642->643 643->641 644 9135e3-9135ee LockResource 643->644 644->641 645 9135f4-913612 644->645 645->641
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,008D50AA,?,?,00000000,00000000), ref: 008D42B2
                                                                                                                                                                                                                                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,008D50AA,?,?,00000000,00000000), ref: 008D42C9
                                                                                                                                                                                                                                                          • LoadResource.KERNEL32(?,00000000,?,?,008D50AA,?,?,00000000,00000000,?,?,?,?,?,?,008D4F20), ref: 009135BE
                                                                                                                                                                                                                                                          • SizeofResource.KERNEL32(?,00000000,?,?,008D50AA,?,?,00000000,00000000,?,?,?,?,?,?,008D4F20), ref: 009135D3
                                                                                                                                                                                                                                                          • LockResource.KERNEL32(008D50AA,?,?,008D50AA,?,?,00000000,00000000,?,?,?,?,?,?,008D4F20,?), ref: 009135E6
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                                                                                                                                                                          • String ID: SCRIPT
                                                                                                                                                                                                                                                          • API String ID: 3051347437-3967369404
                                                                                                                                                                                                                                                          • Opcode ID: 939cd59e68874e40a4f950b75e19d24c4a9dd0328e4d90787d00f0387a133be4
                                                                                                                                                                                                                                                          • Instruction ID: 4d19b1c1edd8295000cf4e4864495b9814edb47fcbd236e7015e630494fb9545
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 939cd59e68874e40a4f950b75e19d24c4a9dd0328e4d90787d00f0387a133be4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD117CB0200701BFE7218B65DC48F677BBAEBC5B51F10826EF856D6250DBB2D8009660
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00912BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 008D2B6B
                                                                                                                                                                                                                                                            • Part of subcall function 008D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009A1418,?,008D2E7F,?,?,?,00000000), ref: 008D3A78
                                                                                                                                                                                                                                                            • Part of subcall function 008D9CB3: _wcslen.LIBCMT ref: 008D9CBD
                                                                                                                                                                                                                                                          • GetForegroundWindow.USER32(runas,?,?,?,?,?,00992224), ref: 00912C10
                                                                                                                                                                                                                                                          • ShellExecuteW.SHELL32(00000000,?,?,00992224), ref: 00912C17
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                                                                                                                                                                                          • String ID: runas
                                                                                                                                                                                                                                                          • API String ID: 448630720-4000483414
                                                                                                                                                                                                                                                          • Opcode ID: 66cbc51c2bf1795f19e6ee905804df9e267b90b51b027b13b2284417ceeddc3c
                                                                                                                                                                                                                                                          • Instruction ID: a92cce5048da660babd6226e14a3f88ecc9035daa80abdb78047fc28ed6304ac
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66cbc51c2bf1795f19e6ee905804df9e267b90b51b027b13b2284417ceeddc3c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42119331608345AAC718FF6CE8519BE77A4FBA5754F44062FF082923A2CF6189499753
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 879 93ab9c-93abc0 880 93abc6-93abc9 879->880 881 93ac7c-93ac7f 879->881 880->881 882 93abcf-93abd2 880->882 883 93aca2-93acc6 SendInput 881->883 884 93ac81-93ac8d call 939e8d 881->884 882->881 885 93abd8-93abdb 882->885 887 93accc-93acce call 939c49 883->887 892 93ac93 884->892 893 93ac8f-93ac91 884->893 885->881 888 93abe1-93abe4 885->888 894 93acd3-93acd7 887->894 888->887 891 93abea-93abf9 GetKeyboardState 888->891 895 93ac13-93ac2d call 939e8d 891->895 896 93abfb-93ac0d SetKeyboardState 891->896 897 93ac95-93ac9b call 93b226 892->897 893->897 902 93ac38-93ac3c 895->902 903 93ac2f-93ac32 895->903 896->895 901 93aca0 897->901 901->887 904 93ac49-93ac4d 902->904 905 93ac3e-93ac42 902->905 903->902 907 93ac67-93ac6c 904->907 908 93ac4f-93ac53 904->908 905->904 906 93ac44-93ac47 905->906 906->904 906->907 909 93ac71-93ac7a PostMessageW 907->909 908->907 910 93ac55-93ac65 908->910 909->887 910->909
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 0093ABF1
                                                                                                                                                                                                                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 0093AC0D
                                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 0093AC74
                                                                                                                                                                                                                                                          • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 0093ACC6
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 432972143-0
                                                                                                                                                                                                                                                          • Opcode ID: 4c57dc2d34982118e679595420dafc0b42e326c09bef443b09384fdce111084b
                                                                                                                                                                                                                                                          • Instruction ID: 15602e73be1afd5f9061de04e9a81f834eb04bd342fa24ff95a2d8560d2c3733
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c57dc2d34982118e679595420dafc0b42e326c09bef443b09384fdce111084b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DD312670A043186FEF35CB65CC087FA7BA9AB89310F08671AE4C5921D1C3798D819F52
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008F4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(009028E9,?,008F4CBE,009028E9,009988B8,0000000C,008F4E15,009028E9,00000002,00000000,?,009028E9), ref: 008F4D09
                                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,?,008F4CBE,009028E9,009988B8,0000000C,008F4E15,009028E9,00000002,00000000,?,009028E9), ref: 008F4D10
                                                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 008F4D22
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1703294689-0
                                                                                                                                                                                                                                                          • Opcode ID: b6f76dcc3fc800fca9fc949152edcf47f765a3e2ee40a0e0bb0e07fd542fd572
                                                                                                                                                                                                                                                          • Instruction ID: 9452dedbb4ce4db278b649032b3b398c7d9ebec620da0cdf8fe4de9c4384fa2f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b6f76dcc3fc800fca9fc949152edcf47f765a3e2ee40a0e0bb0e07fd542fd572
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1E0B671014148AFDF11BF64DE0AE6A3F69FB85781B108019FD55CA222DB75DD42DB80
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0093B25D
                                                                                                                                                                                                                                                          • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0093B270
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InputSendkeybd_event
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3536248340-0
                                                                                                                                                                                                                                                          • Opcode ID: 575334e085d3b9a23fff236ff60fddce14204efc11eb25f86a8a50955f0ccc5b
                                                                                                                                                                                                                                                          • Instruction ID: 883ba6fa70d83fbb160fe7a405f2a1e30f5416ab3e6a4e440660aeea24332bb4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 575334e085d3b9a23fff236ff60fddce14204efc11eb25f86a8a50955f0ccc5b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4EF01D7181428DABDB059FA1C806BBE7BB4FF04309F00840AF965A5192C7B996119F94
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008DD730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetInputState.USER32 ref: 008DD807
                                                                                                                                                                                                                                                          • timeGetTime.WINMM ref: 008DDA07
                                                                                                                                                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008DDB28
                                                                                                                                                                                                                                                          • TranslateMessage.USER32(?), ref: 008DDB7B
                                                                                                                                                                                                                                                          • DispatchMessageW.USER32(?), ref: 008DDB89
                                                                                                                                                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008DDB9F
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(0000000A), ref: 008DDBB1
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2189390790-0
                                                                                                                                                                                                                                                          • Opcode ID: b8b6dadc93bca3854b3428ace869405451bac5256d3cf3df192ef28720968961
                                                                                                                                                                                                                                                          • Instruction ID: 7c640fc57ac962e957e47145a0ff39c27d26aa0dff18c1ef9d4730b939538e71
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8b6dadc93bca3854b3428ace869405451bac5256d3cf3df192ef28720968961
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C142DD70608351AFD728DF28D894BAABBE4FF86314F14861AF895C7391D771E844DB82
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 008D2D07
                                                                                                                                                                                                                                                          • RegisterClassExW.USER32(00000030), ref: 008D2D31
                                                                                                                                                                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008D2D42
                                                                                                                                                                                                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 008D2D5F
                                                                                                                                                                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008D2D6F
                                                                                                                                                                                                                                                          • LoadIconW.USER32(000000A9), ref: 008D2D85
                                                                                                                                                                                                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008D2D94
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                                                                                                                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                                                                                                                                                                          • API String ID: 2914291525-1005189915
                                                                                                                                                                                                                                                          • Opcode ID: 84090dd7e9c9e85012fa49cd461c44bef77b5e600bf57f0854bb143749822800
                                                                                                                                                                                                                                                          • Instruction ID: 3ddcf35233f9387d20599274e61eefabcb6644f19d849df5935777b89e458192
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84090dd7e9c9e85012fa49cd461c44bef77b5e600bf57f0854bb143749822800
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6221F4B5929318AFDF00DFA4EC49BEEBBB4FB49700F00411AF551A62A0D7B10544EF91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0091065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 302 91065b-91068b call 91042f 305 9106a6-9106b2 call 905221 302->305 306 91068d-910698 call 8ff2c6 302->306 312 9106b4-9106c9 call 8ff2c6 call 8ff2d9 305->312 313 9106cb-910714 call 91039a 305->313 311 91069a-9106a1 call 8ff2d9 306->311 323 91097d-910983 311->323 312->311 321 910781-91078a GetFileType 313->321 322 910716-91071f 313->322 327 9107d3-9107d6 321->327 328 91078c-9107bd GetLastError call 8ff2a3 CloseHandle 321->328 325 910721-910725 322->325 326 910756-91077c GetLastError call 8ff2a3 322->326 325->326 332 910727-910754 call 91039a 325->332 326->311 330 9107d8-9107dd 327->330 331 9107df-9107e5 327->331 328->311 339 9107c3-9107ce call 8ff2d9 328->339 335 9107e9-910837 call 90516a 330->335 331->335 336 9107e7 331->336 332->321 332->326 345 910847-91086b call 91014d 335->345 346 910839-910845 call 9105ab 335->346 336->335 339->311 351 91086d 345->351 352 91087e-9108c1 345->352 346->345 353 91086f-910879 call 9086ae 346->353 351->353 355 9108c3-9108c7 352->355 356 9108e2-9108f0 352->356 353->323 355->356 358 9108c9-9108dd 355->358 359 9108f6-9108fa 356->359 360 91097b 356->360 358->356 359->360 361 9108fc-91092f CloseHandle call 91039a 359->361 360->323 364 910931-91095d GetLastError call 8ff2a3 call 905333 361->364 365 910963-910977 361->365 364->365 365->360
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 0091039A: CreateFileW.KERNEL32(00000000,00000000,?,00910704,?,?,00000000,?,00910704,00000000,0000000C), ref: 009103B7
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0091076F
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00910776
                                                                                                                                                                                                                                                          • GetFileType.KERNEL32(00000000), ref: 00910782
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0091078C
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00910795
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 009107B5
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 009108FF
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00910931
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00910938
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                                                          • String ID: H
                                                                                                                                                                                                                                                          • API String ID: 4237864984-2852464175
                                                                                                                                                                                                                                                          • Opcode ID: d8f34c0c9045c15bc633a2abda133e5d0dbfc346f7391980c36bd5768dbee659
                                                                                                                                                                                                                                                          • Instruction ID: b3df8fdf7ced1ac654c26930209196826a2bff7e1aa372a0585227252fd530fb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8f34c0c9045c15bc633a2abda133e5d0dbfc346f7391980c36bd5768dbee659
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67A12632A141088FDF19AF68DC51BEE3BA4AF86324F14015DF815EB2D1C7769892DB91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008D3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009A1418,?,008D2E7F,?,?,?,00000000), ref: 008D3A78
                                                                                                                                                                                                                                                            • Part of subcall function 008D3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008D3379
                                                                                                                                                                                                                                                          • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 008D356A
                                                                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0091318D
                                                                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009131CE
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 00913210
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00913277
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00913286
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                                                                                                                                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                                                                                                                                                                          • API String ID: 98802146-2727554177
                                                                                                                                                                                                                                                          • Opcode ID: 9dd96826e80417bb9f95d3c5104a948c339ed26532bcbb7b7466491e2832a16e
                                                                                                                                                                                                                                                          • Instruction ID: 0eec370abc4bbbecc5d3460978b0d7c14bda9fbae9f6ea0dc954bb64bb868108
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9dd96826e80417bb9f95d3c5104a948c339ed26532bcbb7b7466491e2832a16e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B7191715183049EC714EF6DEC418ABBBE8FF86B40F40492EF585C7260EB759A48DB92
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetSysColorBrush.USER32(0000000F), ref: 008D2B8E
                                                                                                                                                                                                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 008D2B9D
                                                                                                                                                                                                                                                          • LoadIconW.USER32(00000063), ref: 008D2BB3
                                                                                                                                                                                                                                                          • LoadIconW.USER32(000000A4), ref: 008D2BC5
                                                                                                                                                                                                                                                          • LoadIconW.USER32(000000A2), ref: 008D2BD7
                                                                                                                                                                                                                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 008D2BEF
                                                                                                                                                                                                                                                          • RegisterClassExW.USER32(?), ref: 008D2C40
                                                                                                                                                                                                                                                            • Part of subcall function 008D2CD4: GetSysColorBrush.USER32(0000000F), ref: 008D2D07
                                                                                                                                                                                                                                                            • Part of subcall function 008D2CD4: RegisterClassExW.USER32(00000030), ref: 008D2D31
                                                                                                                                                                                                                                                            • Part of subcall function 008D2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008D2D42
                                                                                                                                                                                                                                                            • Part of subcall function 008D2CD4: InitCommonControlsEx.COMCTL32(?), ref: 008D2D5F
                                                                                                                                                                                                                                                            • Part of subcall function 008D2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008D2D6F
                                                                                                                                                                                                                                                            • Part of subcall function 008D2CD4: LoadIconW.USER32(000000A9), ref: 008D2D85
                                                                                                                                                                                                                                                            • Part of subcall function 008D2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 008D2D94
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                                                                                                                                                                          • String ID: #$0$AutoIt v3
                                                                                                                                                                                                                                                          • API String ID: 423443420-4155596026
                                                                                                                                                                                                                                                          • Opcode ID: 0c364905eca3c0c9fc73b1315f3d5153ec065244b103a273da3e0d8d8616d346
                                                                                                                                                                                                                                                          • Instruction ID: 2ffc403f8c77fdc76c931948d968ccdf8f568e92a143849f8b3bbe1f023ebd54
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0c364905eca3c0c9fc73b1315f3d5153ec065244b103a273da3e0d8d8616d346
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A21F8B4A28314AFDB109FA5EC55AA97FF4FF49B54F00001AF504A66A0DBB10540AF90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 443 8d3170-8d3185 444 8d31e5-8d31e7 443->444 445 8d3187-8d318a 443->445 444->445 446 8d31e9 444->446 447 8d318c-8d3193 445->447 448 8d31eb 445->448 449 8d31d0-8d31d8 DefWindowProcW 446->449 452 8d3199-8d319e 447->452 453 8d3265-8d326d PostQuitMessage 447->453 450 912dfb-912e23 call 8d18e2 call 8ee499 448->450 451 8d31f1-8d31f6 448->451 454 8d31de-8d31e4 449->454 486 912e28-912e2f 450->486 456 8d321d-8d3244 SetTimer RegisterWindowMessageW 451->456 457 8d31f8-8d31fb 451->457 459 8d31a4-8d31a8 452->459 460 912e7c-912e90 call 93bf30 452->460 455 8d3219-8d321b 453->455 455->454 456->455 465 8d3246-8d3251 CreatePopupMenu 456->465 462 8d3201-8d320f KillTimer call 8d30f2 457->462 463 912d9c-912d9f 457->463 466 8d31ae-8d31b3 459->466 467 912e68-912e72 call 93c161 459->467 460->455 479 912e96 460->479 483 8d3214 call 8d3c50 462->483 471 912da1-912da5 463->471 472 912dd7-912df6 MoveWindow 463->472 465->455 468 8d31b9-8d31be 466->468 469 912e4d-912e54 466->469 484 912e77 467->484 477 8d31c4-8d31ca 468->477 478 8d3253-8d3263 call 8d326f 468->478 469->449 482 912e5a-912e63 call 930ad7 469->482 480 912da7-912daa 471->480 481 912dc6-912dd2 SetFocus 471->481 472->455 477->449 477->486 478->455 479->449 480->477 487 912db0-912dc1 call 8d18e2 480->487 481->455 482->449 483->455 484->455 486->449 491 912e35-912e48 call 8d30f2 call 8d3837 486->491 487->455 491->449
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,008D316A,?,?), ref: 008D31D8
                                                                                                                                                                                                                                                          • KillTimer.USER32(?,00000001,?,?,?,?,?,008D316A,?,?), ref: 008D3204
                                                                                                                                                                                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008D3227
                                                                                                                                                                                                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,008D316A,?,?), ref: 008D3232
                                                                                                                                                                                                                                                          • CreatePopupMenu.USER32 ref: 008D3246
                                                                                                                                                                                                                                                          • PostQuitMessage.USER32(00000000), ref: 008D3267
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                                                                                                                                                                          • String ID: TaskbarCreated
                                                                                                                                                                                                                                                          • API String ID: 129472671-2362178303
                                                                                                                                                                                                                                                          • Opcode ID: d7d1e83738994b62c16198c8ca4d7a18395809752ec994991930fdf15d2c9df8
                                                                                                                                                                                                                                                          • Instruction ID: 1c2a356ec91149e5e6780fd1b4a021a3e9a68058ec175acfefc92fdc474a4bd2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d7d1e83738994b62c16198c8ca4d7a18395809752ec994991930fdf15d2c9df8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E411975618209A7DF152F78AC0DBBA3B59FB46345F04032BF551C53A1CBA19A40A7E3
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 499 8d1410-8d1449 500 8d144f-8d1465 mciSendStringW 499->500 501 9124b8-9124b9 DestroyWindow 499->501 502 8d146b-8d1473 500->502 503 8d16c6-8d16d3 500->503 504 9124c4-9124d1 501->504 502->504 505 8d1479-8d1488 call 8d182e 502->505 506 8d16f8-8d16ff 503->506 507 8d16d5-8d16f0 UnregisterHotKey 503->507 508 912500-912507 504->508 509 9124d3-9124d6 504->509 520 8d148e-8d1496 505->520 521 91250e-91251a 505->521 506->502 512 8d1705 506->512 507->506 511 8d16f2-8d16f3 call 8d10d0 507->511 508->504 517 912509 508->517 513 9124e2-9124e5 FindClose 509->513 514 9124d8-9124e0 call 8d6246 509->514 511->506 512->503 519 9124eb-9124f8 513->519 514->519 517->521 519->508 525 9124fa-9124fb call 9432b1 519->525 526 8d149c-8d14c1 call 8dcfa0 520->526 527 912532-91253f 520->527 522 912524-91252b 521->522 523 91251c-91251e FreeLibrary 521->523 522->521 528 91252d 522->528 523->522 525->508 537 8d14f8-8d1503 OleUninitialize 526->537 538 8d14c3 526->538 529 912541-91255e VirtualFree 527->529 530 912566-91256d 527->530 528->527 529->530 533 912560-912561 call 943317 529->533 530->527 534 91256f 530->534 533->530 540 912574-912578 534->540 539 8d1509-8d150e 537->539 537->540 541 8d14c6-8d14f6 call 8d1a05 call 8d19ae 538->541 543 912589-912596 call 9432eb 539->543 544 8d1514-8d151e 539->544 540->539 545 91257e-912584 540->545 541->537 557 912598 543->557 548 8d1524-8d152f call 8d988f 544->548 549 8d1707-8d1714 call 8ef80e 544->549 545->539 560 8d1535 call 8d1944 548->560 549->548 559 8d171a 549->559 561 91259d-9125bf call 8efdcd 557->561 559->549 562 8d153a-8d15a5 call 8d17d5 call 8efe14 call 8d177c call 8d988f call 8dcfa0 call 8d17fe call 8efe14 560->562 567 9125c1 561->567 562->561 589 8d15ab-8d15cf call 8efe14 562->589 571 9125c6-9125e8 call 8efdcd 567->571 577 9125ea 571->577 580 9125ef-912611 call 8efdcd 577->580 585 912613 580->585 588 912618-912625 call 9364d4 585->588 594 912627 588->594 589->571 595 8d15d5-8d15f9 call 8efe14 589->595 597 91262c-912639 call 8eac64 594->597 595->580 599 8d15ff-8d1619 call 8efe14 595->599 604 91263b 597->604 599->588 605 8d161f-8d1643 call 8d17d5 call 8efe14 599->605 607 912640-91264d call 943245 604->607 605->597 614 8d1649-8d1651 605->614 612 91264f 607->612 615 912654-912661 call 9432cc 612->615 614->607 616 8d1657-8d1668 call 8d988f call 8d190a 614->616 621 912663 615->621 623 8d166d-8d1675 616->623 624 912668-912675 call 9432cc 621->624 623->615 625 8d167b-8d1689 623->625 631 912677 624->631 625->624 627 8d168f-8d16c5 call 8d988f * 3 call 8d1876 625->627 631->631
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 008D1459
                                                                                                                                                                                                                                                          • OleUninitialize.OLE32(?,00000000), ref: 008D14F8
                                                                                                                                                                                                                                                          • UnregisterHotKey.USER32(?), ref: 008D16DD
                                                                                                                                                                                                                                                          • DestroyWindow.USER32(?), ref: 009124B9
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0091251E
                                                                                                                                                                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0091254B
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                                                                                                                                                                          • String ID: close all
                                                                                                                                                                                                                                                          • API String ID: 469580280-3243417748
                                                                                                                                                                                                                                                          • Opcode ID: 0b9666aee61e855b04fa5aa39526cdc0805b494282ad13fd265d691c3c71cd42
                                                                                                                                                                                                                                                          • Instruction ID: 83f9d06cb60b7db0f4d30faed62a65727d2a5e912a2b7aa59d18644f664a42fe
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0b9666aee61e855b04fa5aa39526cdc0805b494282ad13fd265d691c3c71cd42
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5DD17C317012129FCB29EF19D499A69F7A5FF05700F1442AEE44AAB362CB30EC62CF51
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 648 8d2c63-8d2cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 008D2C91
                                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 008D2CB2
                                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,008D1CAD,?), ref: 008D2CC6
                                                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,008D1CAD,?), ref: 008D2CCF
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Window$CreateShow
                                                                                                                                                                                                                                                          • String ID: AutoIt v3$edit
                                                                                                                                                                                                                                                          • API String ID: 1584632944-3779509399
                                                                                                                                                                                                                                                          • Opcode ID: f4beae62682a17838a1eec58b0dc1cb00d9e5be81f1f4f0fe2ebd8255c360b14
                                                                                                                                                                                                                                                          • Instruction ID: fa32e490bc31bdaad27e52e9f187525bcc281f0a1e727b6e49cc858e4ead15c1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f4beae62682a17838a1eec58b0dc1cb00d9e5be81f1f4f0fe2ebd8255c360b14
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47F0DAB65642A07AEB311B17AC08E772EBDDBC7F60F00005FF900A25A0CAA51850FAB0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0095AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 763 95ad64-95ad9c call 8da961 call 8f2340 768 95add1-95add5 763->768 769 95ad9e-95adb5 call 8d7510 763->769 771 95add7-95adee call 8d7510 call 8d7620 768->771 772 95adf1-95adf5 768->772 769->768 778 95adb7-95adce call 8d7510 call 8d7620 769->778 771->772 773 95adf7-95ae0e call 8d7510 772->773 774 95ae3a 772->774 779 95ae3c-95ae40 773->779 787 95ae10-95ae21 call 8d9b47 773->787 774->779 778->768 783 95ae53-95aeae call 8f2340 call 8d7510 ShellExecuteExW 779->783 784 95ae42-95ae50 call 8db567 779->784 800 95aeb7-95aeb9 783->800 801 95aeb0-95aeb6 call 8efe14 783->801 784->783 787->774 799 95ae23-95ae2e call 8d7510 787->799 799->774 808 95ae30-95ae35 call 8da8c7 799->808 805 95aec2-95aec6 800->805 806 95aebb-95aec1 call 8efe14 800->806 801->800 810 95aec8-95aed6 805->810 811 95af0a-95af0e 805->811 806->805 808->774 816 95aed8 810->816 817 95aedb-95aeeb 810->817 812 95af10-95af19 811->812 813 95af1b-95af33 call 8dcfa0 811->813 820 95af6d-95af7b call 8d988f 812->820 813->820 827 95af35-95af46 GetProcessId 813->827 816->817 818 95aef0-95af08 call 8dcfa0 817->818 819 95aeed 817->819 818->820 819->818 828 95af4e-95af67 call 8dcfa0 CloseHandle 827->828 829 95af48 827->829 828->820 829->828
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ShellExecuteExW.SHELL32(0000003C), ref: 0095AEA3
                                                                                                                                                                                                                                                            • Part of subcall function 008D7620: _wcslen.LIBCMT ref: 008D7625
                                                                                                                                                                                                                                                          • GetProcessId.KERNEL32(00000000), ref: 0095AF38
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0095AF67
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                                                                                                                                                                                          • String ID: <$@
                                                                                                                                                                                                                                                          • API String ID: 146682121-1426351568
                                                                                                                                                                                                                                                          • Opcode ID: c3142aa3c5f9dc4820115b782e88a1ce1b514579632ff50186e265c39f660d94
                                                                                                                                                                                                                                                          • Instruction ID: 267d03a28a768f58bcd8fb6c1407cb85a49b44d4e6fc87d5053dbeb6ae0039dc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c3142aa3c5f9dc4820115b782e88a1ce1b514579632ff50186e265c39f660d94
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09717A70A00215DFCB14DF59D485A9EBBF4FF08310F04869AE816AB362DB74ED49CB96
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 868 8d3b1c-8d3b27 869 8d3b99-8d3b9b 868->869 870 8d3b29-8d3b2e 868->870 872 8d3b8c-8d3b8f 869->872 870->869 871 8d3b30-8d3b48 RegOpenKeyExW 870->871 871->869 873 8d3b4a-8d3b69 RegQueryValueExW 871->873 874 8d3b6b-8d3b76 873->874 875 8d3b80-8d3b8b RegCloseKey 873->875 876 8d3b78-8d3b7a 874->876 877 8d3b90-8d3b97 874->877 875->872 878 8d3b7e 876->878 877->878 878->875
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,008D3B0F,SwapMouseButtons,00000004,?), ref: 008D3B40
                                                                                                                                                                                                                                                          • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,008D3B0F,SwapMouseButtons,00000004,?), ref: 008D3B61
                                                                                                                                                                                                                                                          • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,008D3B0F,SwapMouseButtons,00000004,?), ref: 008D3B83
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                                                          • String ID: Control Panel\Mouse
                                                                                                                                                                                                                                                          • API String ID: 3677997916-824357125
                                                                                                                                                                                                                                                          • Opcode ID: ebfb85a062a4823d903f3867d9664bb5da6f408d8ef3cce6bedf8452b51ab871
                                                                                                                                                                                                                                                          • Instruction ID: 722129cbd6a28bee2a1903fbee969daa308fac33f43050e467fee4d34aa1bdb0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ebfb85a062a4823d903f3867d9664bb5da6f408d8ef3cce6bedf8452b51ab871
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE112AB5520208FFDB208FA5DC44AAEB7B8FF05764B10456BF845D7210D2719E40A761
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                                                          control_flow_graph 911 93b0a8-93b0b3 912 93b0b5 911->912 913 93b12c-93b12e 911->913 914 93b0b7-93b0b9 912->914 915 93b0bb-93b0be 912->915 916 93b126 Sleep 914->916 917 93b0c0-93b0cc QueryPerformanceCounter 915->917 918 93b125 915->918 916->913 917->918 919 93b0ce-93b0d6 917->919 918->916 920 93b0d8 919->920 921 93b0de-93b0e4 919->921 920->921 922 93b0e7-93b121 Sleep QueryPerformanceCounter call 8ee398 921->922 925 93b123 922->925 925->913
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0093ACD3,?,00008000), ref: 0093B0C4
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0093ACD3,?,00008000), ref: 0093B0E9
                                                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0093ACD3,?,00008000), ref: 0093B0F3
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0093ACD3,?,00008000), ref: 0093B126
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CounterPerformanceQuerySleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2875609808-0
                                                                                                                                                                                                                                                          • Opcode ID: 39ed3dced065d1adc1d0f8402c3287995740c74a29444e99af517bb31f36b853
                                                                                                                                                                                                                                                          • Instruction ID: 9c7731879a1826c315ea1b7ae6dcf74b0e2c60f33ea1d483212630f2e7ce65e5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39ed3dced065d1adc1d0f8402c3287995740c74a29444e99af517bb31f36b853
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8911A170C0851CDBCF04AFE4D9586FEBB78FF0A310F014089EA81B6145CB7045509F51
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008DEC40 Relevance: 5.7, APIs: 3, Instructions: 1195COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 008DFE66
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Init_thread_footer
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1385522511-0
                                                                                                                                                                                                                                                          • Opcode ID: c1f9eca16ff32ef2cd83586488631f0db735a6b85d1b36212078e1e10533790a
                                                                                                                                                                                                                                                          • Instruction ID: b1d6633113fe09957462afb6d5975ae6d79710c0431ff9a2bb768a5efbbd238a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1f9eca16ff32ef2cd83586488631f0db735a6b85d1b36212078e1e10533790a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1B259746083518FCB24DF18D480A2AB7E1FF86314F244A6EE986DB352D771EC41EB92
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009133A2
                                                                                                                                                                                                                                                            • Part of subcall function 008D6B57: _wcslen.LIBCMT ref: 008D6B6A
                                                                                                                                                                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 008D3A04
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: IconLoadNotifyShell_String_wcslen
                                                                                                                                                                                                                                                          • String ID: Line:
                                                                                                                                                                                                                                                          • API String ID: 2289894680-1585850449
                                                                                                                                                                                                                                                          • Opcode ID: 8f4295574b32c124d73d2c227624ece83a547074f95546c795f456c474db352a
                                                                                                                                                                                                                                                          • Instruction ID: 4919f9e52370e8973ead643964b4d8d5d78fca657fda7ce9e88d2f6c87961ef3
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f4295574b32c124d73d2c227624ece83a547074f95546c795f456c474db352a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F131CD71508308AAC725EB28DC45AEBB7E8FF41714F00462BF599C2291EF709A48C7D3
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008EFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 008F0668
                                                                                                                                                                                                                                                            • Part of subcall function 008F32A4: RaiseException.KERNEL32(?,?,?,008F068A,?,009A1444,?,?,?,?,?,?,008F068A,008D1129,00998738,008D1129), ref: 008F3304
                                                                                                                                                                                                                                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 008F0685
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Exception@8Throw$ExceptionRaise
                                                                                                                                                                                                                                                          • String ID: Unknown exception
                                                                                                                                                                                                                                                          • API String ID: 3476068407-410509341
                                                                                                                                                                                                                                                          • Opcode ID: 66b53d04a2e57a016b8278a56524e532cde14bb163d094630b6832e5ad12d505
                                                                                                                                                                                                                                                          • Instruction ID: a92089fbb00fb991a11e0059f99abfa8df70931bb39b90d93cf6d22f9a50308d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66b53d04a2e57a016b8278a56524e532cde14bb163d094630b6832e5ad12d505
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5F0AF24A0030D6B8F00BAB9EC46DBE7B6CFE51354B604135BB14D6593EF71EA258A82
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008D1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008D1BF4
                                                                                                                                                                                                                                                            • Part of subcall function 008D1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 008D1BFC
                                                                                                                                                                                                                                                            • Part of subcall function 008D1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008D1C07
                                                                                                                                                                                                                                                            • Part of subcall function 008D1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008D1C12
                                                                                                                                                                                                                                                            • Part of subcall function 008D1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 008D1C1A
                                                                                                                                                                                                                                                            • Part of subcall function 008D1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 008D1C22
                                                                                                                                                                                                                                                            • Part of subcall function 008D1B4A: RegisterWindowMessageW.USER32(00000004,?,008D12C4), ref: 008D1BA2
                                                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 008D136A
                                                                                                                                                                                                                                                          • OleInitialize.OLE32 ref: 008D1388
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,00000000), ref: 009124AB
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1986988660-0
                                                                                                                                                                                                                                                          • Opcode ID: 1d36c1b106a17ebb92d135dd6c9820f518738e13d593625bc32b0070f614357e
                                                                                                                                                                                                                                                          • Instruction ID: 91ca45c14daad1b90173e0973242b29bc1690e5c4c30518867bb1c9fdb254a67
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d36c1b106a17ebb92d135dd6c9820f518738e13d593625bc32b0070f614357e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4718CB8D293109EC798DF6DA8456553AE4FF8B394F14A22AA05AC7371E7344440AFC1
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008D3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 008D3A04
                                                                                                                                                                                                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0093C259
                                                                                                                                                                                                                                                          • KillTimer.USER32(?,00000001,?,?), ref: 0093C261
                                                                                                                                                                                                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0093C270
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: IconNotifyShell_Timer$Kill
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3500052701-0
                                                                                                                                                                                                                                                          • Opcode ID: 6408119bb02e54a8bcb7a8731e922cc366c45725f3b69993b60a9f6346416af5
                                                                                                                                                                                                                                                          • Instruction ID: a102a7388df14aac6e5fcfd5f331412854b33effeb1ac82d25ddd928e36d8c02
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6408119bb02e54a8bcb7a8731e922cc366c45725f3b69993b60a9f6346416af5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B3195B0904754AFEB229F748855BE7BBECAF06304F04049EE5EAA7241C7746A84DF51
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009086AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,009085CC,?,00998CC8,0000000C), ref: 00908704
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,009085CC,?,00998CC8,0000000C), ref: 0090870E
                                                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00908739
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 490808831-0
                                                                                                                                                                                                                                                          • Opcode ID: 4e00e3c75d2ed91d7d1052aa3b6d9e27c145c7090186a50b0980cb125bdafef4
                                                                                                                                                                                                                                                          • Instruction ID: 4a6460917a52a995328ccf7a7ee08a340d3990bd47435240b5597a3dffb722b5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e00e3c75d2ed91d7d1052aa3b6d9e27c145c7090186a50b0980cb125bdafef4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 59014E32B056605ED6246334A849B7F6B4D4FD2778F3B011DF8549B1D3DEB2CC819690
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008DDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • TranslateMessage.USER32(?), ref: 008DDB7B
                                                                                                                                                                                                                                                          • DispatchMessageW.USER32(?), ref: 008DDB89
                                                                                                                                                                                                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008DDB9F
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(0000000A), ref: 008DDBB1
                                                                                                                                                                                                                                                          • TranslateAcceleratorW.USER32(?,?,?), ref: 00921CC9
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3288985973-0
                                                                                                                                                                                                                                                          • Opcode ID: f27423d0be49f86a3e71dc3c79f6f7ef74a2afed7142b29c599cdbf27fc148fb
                                                                                                                                                                                                                                                          • Instruction ID: 12bddc4abc38d67e834a3a7d940f80312993b66b5dfae0df93f5129969b0a95b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f27423d0be49f86a3e71dc3c79f6f7ef74a2afed7142b29c599cdbf27fc148fb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7F05E706583409BE730CB64DC49FAA73ACFB45314F104A1AF68AC31C0DB74A488EB16
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008E1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 008E17F6
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Init_thread_footer
                                                                                                                                                                                                                                                          • String ID: CALL
                                                                                                                                                                                                                                                          • API String ID: 1385522511-4196123274
                                                                                                                                                                                                                                                          • Opcode ID: 643a697aa299c8515c520bb460ce3823ad265dee369a69e4547f623c52f617f0
                                                                                                                                                                                                                                                          • Instruction ID: 6ba1d6169666ef3b362d542021e7a2598bb3d205b7374bac343f832df4de82d5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 643a697aa299c8515c520bb460ce3823ad265dee369a69e4547f623c52f617f0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B228B706082819FCB14DF19C884A2ABBF1FF86314F14896DF496CB7A2D771E945CB92
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetOpenFileNameW.COMDLG32(?), ref: 00912C8C
                                                                                                                                                                                                                                                            • Part of subcall function 008D3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008D3A97,?,?,008D2E7F,?,?,?,00000000), ref: 008D3AC2
                                                                                                                                                                                                                                                            • Part of subcall function 008D2DA5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 008D2DC4
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Name$Path$FileFullLongOpen
                                                                                                                                                                                                                                                          • String ID: X
                                                                                                                                                                                                                                                          • API String ID: 779396738-3081909835
                                                                                                                                                                                                                                                          • Opcode ID: d5fbd7b26c99f6323855e142bfae715d62d0454cdabba4d4f14284ae5f49c85a
                                                                                                                                                                                                                                                          • Instruction ID: 7f18f811a2cac9fde0c2d09e0fcc5930d1fec823dc1c3399ea11497ebda5066c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5fbd7b26c99f6323855e142bfae715d62d0454cdabba4d4f14284ae5f49c85a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A218171A1025C9BCF41AF98C845BEE7BF8EF49314F00405AE545E7341DBB45A898BA2
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 008D3908
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: IconNotifyShell_
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1144537725-0
                                                                                                                                                                                                                                                          • Opcode ID: b0790ffe3788e03329c08e1863ede749b9c63497dc4e78e678c6dbe1aa64d8b8
                                                                                                                                                                                                                                                          • Instruction ID: 64d231869eba707e801598b30dcec65a085ddec00dde164f04bddd8f5ba037f4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0790ffe3788e03329c08e1863ede749b9c63497dc4e78e678c6dbe1aa64d8b8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF314FB06087019FD721DF24D885797BBE8FB49718F000A2EF599D7350EBB1AA44DB92
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008EF645 Relevance: 3.0, APIs: 2, Instructions: 29sleeptimeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • timeGetTime.WINMM ref: 008EF661
                                                                                                                                                                                                                                                            • Part of subcall function 008DD730: GetInputState.USER32 ref: 008DD807
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000), ref: 0092F2DE
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InputSleepStateTimetime
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4149333218-0
                                                                                                                                                                                                                                                          • Opcode ID: 2a90d5e7a3555eadf4e81ae9d39166ef323efd8daff7207777a802af593a391f
                                                                                                                                                                                                                                                          • Instruction ID: e264b3b9a63f91eafa2a18a3d7fc21629d7985782b519eafe6f08bd1e3ec12a8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a90d5e7a3555eadf4e81ae9d39166ef323efd8daff7207777a802af593a391f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82F08C712442069FD350EF69E449B6AB7F8FF46761F00012AF859C7361DBB0A800CB91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008DB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 008DBB4E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Init_thread_footer
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1385522511-0
                                                                                                                                                                                                                                                          • Opcode ID: 712e7197ad808ed112340c9051d0c5803939af387afbee1272a9880f96653762
                                                                                                                                                                                                                                                          • Instruction ID: 66b94b038fb377dfd320ab2bea16d8799de100cfe8315a0ec7047d7a2c4d241f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 712e7197ad808ed112340c9051d0c5803939af387afbee1272a9880f96653762
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE32CC30A04219EFCB20CF58C894ABEB7B9FF85314F16815AE915AB352D774ED41CB91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009558A2 Relevance: 1.7, APIs: 1, Instructions: 205COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __Init_thread_footer.LIBCMT ref: 00955930
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Init_thread_footer
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1385522511-0
                                                                                                                                                                                                                                                          • Opcode ID: d4ae9eb3073fc271a852d9bfaefa3a71b837de2ec9cafa41e41af03c82cfbf1f
                                                                                                                                                                                                                                                          • Instruction ID: 437f3b6f52870be021a7b561e1cf830e5cba4c67c60f152aba049f514e710d7b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4ae9eb3073fc271a852d9bfaefa3a71b837de2ec9cafa41e41af03c82cfbf1f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C271CE30600609EFCB20DF59C8A0EBAB7F9FF59310F118169F9459B292D775AD89CB90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008D4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,008D4EDD,?,009A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008D4E9C
                                                                                                                                                                                                                                                            • Part of subcall function 008D4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008D4EAE
                                                                                                                                                                                                                                                            • Part of subcall function 008D4E90: FreeLibrary.KERNEL32(00000000,?,?,008D4EDD,?,009A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008D4EC0
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,009A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008D4EFD
                                                                                                                                                                                                                                                            • Part of subcall function 008D4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00913CDE,?,009A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008D4E62
                                                                                                                                                                                                                                                            • Part of subcall function 008D4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008D4E74
                                                                                                                                                                                                                                                            • Part of subcall function 008D4E59: FreeLibrary.KERNEL32(00000000,?,?,00913CDE,?,009A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008D4E87
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Library$Load$AddressFreeProc
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2632591731-0
                                                                                                                                                                                                                                                          • Opcode ID: 074f4cfb11a7b4079412e1cbe04926628d37def4e7470bb131d3c11df0841767
                                                                                                                                                                                                                                                          • Instruction ID: 80471a4d540ef9c704cd2dd9d2ed5f09364992e1d1f6d4aceb04a831c9e6e425
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 074f4cfb11a7b4079412e1cbe04926628d37def4e7470bb131d3c11df0841767
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9111E332610209ABCF14AF78DC06FAD77A5FF40720F10852FF592E62E1EE709A459791
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00908402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: __wsopen_s
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3347428461-0
                                                                                                                                                                                                                                                          • Opcode ID: 3293f3312e5cbd716db0704bad1df3d01082a54d7ff04b64af2a0e6b3af76375
                                                                                                                                                                                                                                                          • Instruction ID: 502eda9ad408d7d2795ac7edf31cc2604e215e1cc2b1a9b11061bb6bfb66c94d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3293f3312e5cbd716db0704bad1df3d01082a54d7ff04b64af2a0e6b3af76375
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8111875A0410AAFCF05DF58E941ADF7BF9EF48314F104059F808AB352DA31DA11CBA5
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00905000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00904C7D: RtlAllocateHeap.NTDLL(00000008,008D1129,00000000,?,00902E29,00000001,00000364,?,?,?,008FF2DE,00903863,009A1444,?,008EFDF5,?), ref: 00904CBE
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0090506C
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AllocateHeap_free
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 614378929-0
                                                                                                                                                                                                                                                          • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                                                                                                                                                                          • Instruction ID: 85334f52cb6a6032a59a48a8700dc8cc91888705ae47793eea5daaadc4ccd741
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64012B722047046FE3218F559845A5AFBECFB85370F25091DE194932C0E6306805CA74
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009629BF Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetForegroundWindow.USER32(00000000,?,?,?,009614B5,?), ref: 00962A01
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ForegroundWindow
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2020703349-0
                                                                                                                                                                                                                                                          • Opcode ID: a5335589fd6841beb38fb69365bdc8e0e99eff9289741e1fdfb3f0143097f589
                                                                                                                                                                                                                                                          • Instruction ID: b4f91ec153b658795547cb477deae448eb72a3ad50f522fec44d1889473fb47f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5335589fd6841beb38fb69365bdc8e0e99eff9289741e1fdfb3f0143097f589
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B101B136300E829FD324CB6CC554B263796EBC5318F69C468D0878B291DB72EC42C7A0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008FE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                                                                                                                                                          • Instruction ID: 6c17e560e938873b6a080987db57f2232fb936e563b96afd82203254992eea7b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71F0F932510A1C9AC6313E798C09B7B3398EFA2334F100715F721D61E2DF78A401C5A6
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _wcslen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 176396367-0
                                                                                                                                                                                                                                                          • Opcode ID: 2a5568052486cbf4e0cd30e36d7b9dc833817de7baba896c94b7e8b926ea76a8
                                                                                                                                                                                                                                                          • Instruction ID: aade0c4cd289c0774e0efb62d2f11ac71f6fee236c9047fd8b58c91983fce612
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a5568052486cbf4e0cd30e36d7b9dc833817de7baba896c94b7e8b926ea76a8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E4F0CD736006056ED7145F3DDC06A67BB94FF44760F10862AF719CB1D1DB71E51087A0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00904C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000008,008D1129,00000000,?,00902E29,00000001,00000364,?,?,?,008FF2DE,00903863,009A1444,?,008EFDF5,?), ref: 00904CBE
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                                          • Opcode ID: 720a8714eb5a91b2c0681e51fd3f28f8677adea792acba6f8e280542188f6e6b
                                                                                                                                                                                                                                                          • Instruction ID: 9b1f2ffde36917602f0c8ba9731d9231acaeab9a7d907ad1bebad5c99476403d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 720a8714eb5a91b2c0681e51fd3f28f8677adea792acba6f8e280542188f6e6b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FCF0F0712062386BEB201E369C08BAA378CFF413A0B048112FA89E61C0CA70D80046E0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00903820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,009A1444,?,008EFDF5,?,?,008DA976,00000010,009A1440,008D13FC,?,008D13C6,?,008D1129), ref: 00903852
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                                                          • Opcode ID: bf979dc1f44a8c7f31a408acbef22fcd5a22354bf947b17a2f1e3cae2c11e20d
                                                                                                                                                                                                                                                          • Instruction ID: 86e0870513f40f822a1ee5f3b50067ddc314e88da23abae68f69764e6159f91f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf979dc1f44a8c7f31a408acbef22fcd5a22354bf947b17a2f1e3cae2c11e20d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7E0E5311042285FD7212A7A9C00BAB365CEF427B0F05C0A1FD05D28D1CB61DE0191E1
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?,?,009A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008D4F6D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3664257935-0
                                                                                                                                                                                                                                                          • Opcode ID: a999ce8ab1f3900e95c0554a6dcb0196e61826f3a0b4eded3944be689b633ed5
                                                                                                                                                                                                                                                          • Instruction ID: 8ae1c8d7314b05af9bdcb80a8703d731c6704c842101652847b1e46f6937a75e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a999ce8ab1f3900e95c0554a6dcb0196e61826f3a0b4eded3944be689b633ed5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15F015B1109756CFDB349F64D490822BBE4FF143293209A6FE2EAC2621CB319844DB10
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00962A55 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsWindow.USER32(00000000), ref: 00962A66
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Window
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2353593579-0
                                                                                                                                                                                                                                                          • Opcode ID: b11071a8a0c1cd75578683d557d5c5b5ace85ddd5368bfbc50cd51b8138c579b
                                                                                                                                                                                                                                                          • Instruction ID: 1709b5975cc15ad53f9d66bef7b492b0b3579802f724011f22959f751edcd150
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b11071a8a0c1cd75578683d557d5c5b5ace85ddd5368bfbc50cd51b8138c579b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 03E02636354616AAC710EB70DC80AFE734CEF90390B00483AFC26C2140DB74999186E0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D30F2 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • Shell_NotifyIconW.SHELL32(00000002,?), ref: 008D314E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: IconNotifyShell_
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1144537725-0
                                                                                                                                                                                                                                                          • Opcode ID: e7d6e02336765a96fc875c3147d38674a5aae24f4a5dddfbabded4987fe14328
                                                                                                                                                                                                                                                          • Instruction ID: 7f1518e097c1be21fccbfc883efa73872d6177b97fb7a4e50687c9ab888eea8c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e7d6e02336765a96fc875c3147d38674a5aae24f4a5dddfbabded4987fe14328
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6F037709143589FEB52DF24DC457D67BBCBB01708F0001E9A688D6291DBB45788CF92
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093B225 Relevance: 1.5, APIs: 1, Instructions: 24keyboardCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0093B25D
                                                                                                                                                                                                                                                          • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 0093B270
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InputSendkeybd_event
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3536248340-0
                                                                                                                                                                                                                                                          • Opcode ID: 5e511ef4cee42c2d75941680b4d608a0dce740880b5958dd2980aa0ee637da2b
                                                                                                                                                                                                                                                          • Instruction ID: 41ed7d81b2db3930c1cb6b69bb38be5c1d2e6f2a6bc72d11150f25aa962d1fc8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e511ef4cee42c2d75941680b4d608a0dce740880b5958dd2980aa0ee637da2b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06F058708182899ADB05CFA184067FFBFB0AF19309F00814EE962A6292C3BC82058F94
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 008D2DC4
                                                                                                                                                                                                                                                            • Part of subcall function 008D6B57: _wcslen.LIBCMT ref: 008D6B6A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: LongNamePath_wcslen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 541455249-0
                                                                                                                                                                                                                                                          • Opcode ID: a31b19372e3c5e8014dc036af66a8a14633c150857e78e5e574aaa85ed7cbf2d
                                                                                                                                                                                                                                                          • Instruction ID: 30c62d60e168c75eaebf95b61c89dad850c1ac88db8fadb3ed3a7a49e85dc51a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a31b19372e3c5e8014dc036af66a8a14633c150857e78e5e574aaa85ed7cbf2d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94E0CD727041285BC710A2589C05FEA77DDEFC87D0F040176FD09D7348DA60ED808551
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008D3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008D3908
                                                                                                                                                                                                                                                            • Part of subcall function 008DD730: GetInputState.USER32 ref: 008DD807
                                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 008D2B6B
                                                                                                                                                                                                                                                            • Part of subcall function 008D30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 008D314E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3667716007-0
                                                                                                                                                                                                                                                          • Opcode ID: 4237d82b9fa2bf38dd2b2933c12024c74f6f9aa2eb4003a633741eee9951d608
                                                                                                                                                                                                                                                          • Instruction ID: fa81f8094dea7678fd27209dd976391c7ceefa568f7a8ef781abb65988425d4a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4237d82b9fa2bf38dd2b2933c12024c74f6f9aa2eb4003a633741eee9951d608
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6E0862170424406C604BB7DA85257DA799FBD6361F40173FF182C3372CE6449455253
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0091039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(00000000,00000000,?,00910704,?,?,00000000,?,00910704,00000000,0000000C), ref: 009103B7
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                                                                          • Opcode ID: 0817304445e3c6cd405f211fea00507f0dd649f8508cc1d72c0dc0f62eaf9127
                                                                                                                                                                                                                                                          • Instruction ID: 1929a58121be6a3eeecee34366e067c59da13d83fdedb2caa6e14df19466fcd4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0817304445e3c6cd405f211fea00507f0dd649f8508cc1d72c0dc0f62eaf9127
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5D06C3205410DBBDF028F84DD06EDA3BAAFB48714F014000FE5856020C772E821AB90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 008D1CBC
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: InfoParametersSystem
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3098949447-0
                                                                                                                                                                                                                                                          • Opcode ID: b27556c1a15fe927eb3b9e44ef1b9450a5d177f31f007b20dd41941a65d8fd20
                                                                                                                                                                                                                                                          • Instruction ID: 4cfbd246ee854d20abfb451093493ae5a713c82648a36472e6ec1a765a1334ba
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b27556c1a15fe927eb3b9e44ef1b9450a5d177f31f007b20dd41941a65d8fd20
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8BC09B3529C3049FF7144B84BC4AF107754B749B10F044001F649555E3C7E11410FAD0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                                          Function 00930B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 009310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00931114
                                                                                                                                                                                                                                                            • Part of subcall function 009310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00930B9B,?,?,?), ref: 00931120
                                                                                                                                                                                                                                                            • Part of subcall function 009310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00930B9B,?,?,?), ref: 0093112F
                                                                                                                                                                                                                                                            • Part of subcall function 009310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00930B9B,?,?,?), ref: 00931136
                                                                                                                                                                                                                                                            • Part of subcall function 009310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0093114D
                                                                                                                                                                                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00930BCC
                                                                                                                                                                                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00930C00
                                                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00930C17
                                                                                                                                                                                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00930C51
                                                                                                                                                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00930C6D
                                                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00930C84
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00930C8C
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00930C93
                                                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00930CB4
                                                                                                                                                                                                                                                          • CopySid.ADVAPI32(00000000), ref: 00930CBB
                                                                                                                                                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00930CEA
                                                                                                                                                                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00930D0C
                                                                                                                                                                                                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00930D1E
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00930D45
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00930D4C
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00930D55
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00930D5C
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00930D65
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00930D6C
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00930D78
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00930D7F
                                                                                                                                                                                                                                                            • Part of subcall function 00931193: GetProcessHeap.KERNEL32(00000008,00930BB1,?,00000000,?,00930BB1,?), ref: 009311A1
                                                                                                                                                                                                                                                            • Part of subcall function 00931193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00930BB1,?), ref: 009311A8
                                                                                                                                                                                                                                                            • Part of subcall function 00931193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00930BB1,?), ref: 009311B7
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4175595110-0
                                                                                                                                                                                                                                                          • Opcode ID: aae621a0891afb88b6af5b27112f54c6f4d4868601bead77f8b3cda6f1d7a2ee
                                                                                                                                                                                                                                                          • Instruction ID: a007858a9c1141aa277380ab08c7d9a63524b1e16fbc4fa7e9a35298d15415ce
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aae621a0891afb88b6af5b27112f54c6f4d4868601bead77f8b3cda6f1d7a2ee
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C7159B290420AABDF10DFE4DC45BAEBBBCBF45300F044559F964A7291D7B1AA05CFA0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0094EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • OpenClipboard.USER32(0096CC08), ref: 0094EB29
                                                                                                                                                                                                                                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 0094EB37
                                                                                                                                                                                                                                                          • GetClipboardData.USER32(0000000D), ref: 0094EB43
                                                                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 0094EB4F
                                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0094EB87
                                                                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 0094EB91
                                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000,00000000), ref: 0094EBBC
                                                                                                                                                                                                                                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 0094EBC9
                                                                                                                                                                                                                                                          • GetClipboardData.USER32(00000001), ref: 0094EBD1
                                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0094EBE2
                                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000,?), ref: 0094EC22
                                                                                                                                                                                                                                                          • IsClipboardFormatAvailable.USER32(0000000F), ref: 0094EC38
                                                                                                                                                                                                                                                          • GetClipboardData.USER32(0000000F), ref: 0094EC44
                                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 0094EC55
                                                                                                                                                                                                                                                          • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0094EC77
                                                                                                                                                                                                                                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0094EC94
                                                                                                                                                                                                                                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0094ECD2
                                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000,?,?), ref: 0094ECF3
                                                                                                                                                                                                                                                          • CountClipboardFormats.USER32 ref: 0094ED14
                                                                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 0094ED59
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 420908878-0
                                                                                                                                                                                                                                                          • Opcode ID: 56cdfd4bd7c845aca3375620f6e66d73dcc8209fef69b3234461c33d20151815
                                                                                                                                                                                                                                                          • Instruction ID: d58bff8763fb1ea24e0b335cbb63e8a35bd519cd5288576e2442ad81c6ffec61
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56cdfd4bd7c845aca3375620f6e66d73dcc8209fef69b3234461c33d20151815
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7061AD74208202AFD310EF24D895F3A77A8FF84714F14451EF896D72A2DB71E905DBA2
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0094698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 009469BE
                                                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00946A12
                                                                                                                                                                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00946A4E
                                                                                                                                                                                                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00946A75
                                                                                                                                                                                                                                                            • Part of subcall function 008D9CB3: _wcslen.LIBCMT ref: 008D9CBD
                                                                                                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00946AB2
                                                                                                                                                                                                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00946ADF
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                                                                                                                                                                                          • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                                                                                                                                                                                          • API String ID: 3830820486-3289030164
                                                                                                                                                                                                                                                          • Opcode ID: 9fb1efd56f8009b3f603f0fa88f592875601c8a1e6b50868861ee2603da08e06
                                                                                                                                                                                                                                                          • Instruction ID: 1c5b44e10e913b3abed6cae3ac69a7ec9a6f3ffa8eac0999be3b5e03903d230a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9fb1efd56f8009b3f603f0fa88f592875601c8a1e6b50868861ee2603da08e06
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D6D131B1508340AEC714EBA4C891EABB7ECFF89704F44491EF585D6291EB74DA44CB63
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0094ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1737998785-0
                                                                                                                                                                                                                                                          • Opcode ID: 92b4579b180951771c5eaa4b37de477c6334b03c264cae85de3144f1462d5387
                                                                                                                                                                                                                                                          • Instruction ID: 24eb98c36c83a4679a672b722a88d84352c6c89f60e53f9c05982da4ab6fac5d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92b4579b180951771c5eaa4b37de477c6334b03c264cae85de3144f1462d5387
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B41AC71608612AFD710CF19D888F2ABBA5FF44318F14819DE4568B6A2C7B5EC41CB90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 009316C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0093170D
                                                                                                                                                                                                                                                            • Part of subcall function 009316C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0093173A
                                                                                                                                                                                                                                                            • Part of subcall function 009316C3: GetLastError.KERNEL32 ref: 0093174A
                                                                                                                                                                                                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 0093E932
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                                                                                                                                                                          • String ID: $ $@$SeShutdownPrivilege
                                                                                                                                                                                                                                                          • API String ID: 2234035333-3163812486
                                                                                                                                                                                                                                                          • Opcode ID: c14d55b1ee718862845b02330738780213e6aded53dc6baca7c56b60ecf19414
                                                                                                                                                                                                                                                          • Instruction ID: 977a4101356cf86e9b29f1e963dec52a9963876bee8cc0048cb14515e6ef2418
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c14d55b1ee718862845b02330738780213e6aded53dc6baca7c56b60ecf19414
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5017D73724210AFEF2422B49C86FBF725C9704790F150822FC03F31D1D5A49C409B90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0094648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 009464DC
                                                                                                                                                                                                                                                          • CoInitialize.OLE32(00000000), ref: 00946639
                                                                                                                                                                                                                                                          • CoCreateInstance.OLE32(0096FCF8,00000000,00000001,0096FB68,?), ref: 00946650
                                                                                                                                                                                                                                                          • CoUninitialize.OLE32 ref: 009468D4
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                                                                                                                                                                          • String ID: .lnk
                                                                                                                                                                                                                                                          • API String ID: 886957087-24824748
                                                                                                                                                                                                                                                          • Opcode ID: f711051241a7bf233f18ada0318dd2bf597ad6e445effd06d24bcedce50bc012
                                                                                                                                                                                                                                                          • Instruction ID: ea275836dcf62c1c5c2bf24c50c258492de2f139fdb3cb6fdefc1564df37dd0a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f711051241a7bf233f18ada0318dd2bf597ad6e445effd06d24bcedce50bc012
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2BD126B1518201AFC314EF28C881E6AB7E9FF99704F40496DF595CB2A1EB70ED05CB92
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009522DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetForegroundWindow.USER32(?,?,00000000), ref: 009522E8
                                                                                                                                                                                                                                                            • Part of subcall function 0094E4EC: GetWindowRect.USER32(?,?), ref: 0094E504
                                                                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 00952312
                                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00952319
                                                                                                                                                                                                                                                          • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00952355
                                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 00952381
                                                                                                                                                                                                                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009523DF
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2387181109-0
                                                                                                                                                                                                                                                          • Opcode ID: 1e63bcba95559c37968d5df65d6080a277127c4a136d5964335aa7ca67c71c26
                                                                                                                                                                                                                                                          • Instruction ID: 3fc7c9194049cf8296670280ed6e077078a4022b71223217d424425e42f3b4bd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e63bcba95559c37968d5df65d6080a277127c4a136d5964335aa7ca67c71c26
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7031FE72108305AFC720DF55C848B6BBBA9FF85710F00091EF88597191DB74EA08CB92
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0095A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0095A6AC
                                                                                                                                                                                                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0095A6BA
                                                                                                                                                                                                                                                            • Part of subcall function 008D9CB3: _wcslen.LIBCMT ref: 008D9CBD
                                                                                                                                                                                                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 0095A79C
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0095A7AB
                                                                                                                                                                                                                                                            • Part of subcall function 008ECE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00913303,?), ref: 008ECE8A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1991900642-0
                                                                                                                                                                                                                                                          • Opcode ID: c627206b465c465537176ba1f0e2ec65087047735e7b7d625ce1b919fb933c0f
                                                                                                                                                                                                                                                          • Instruction ID: 518733a2a72de2cb77d3fcbbe4b26ed2d6876f3cc80108b475dda0f42376e841
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c627206b465c465537176ba1f0e2ec65087047735e7b7d625ce1b919fb933c0f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C513B715083009FD710DF29D885A6BBBE8FF89754F004A1EF995D7251EB70D904CB92
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0094EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • BlockInput.USER32(00000001), ref: 0094EABD
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: BlockInput
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3456056419-0
                                                                                                                                                                                                                                                          • Opcode ID: 3579759fa594303b729f61a19d9cfe8ab88f0e5a196c9c82aed63693d915c76c
                                                                                                                                                                                                                                                          • Instruction ID: 6837990ffd685c9257abfcb100dd386b8fa57ed822d07eeb2ab86e66cd56c177
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3579759fa594303b729f61a19d9cfe8ab88f0e5a196c9c82aed63693d915c76c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4EE01A352142059FC710EF5AD804E9AB7E9FF98760F00841AFD49C7361DAB0A8408B91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00952ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00952B30
                                                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00952B43
                                                                                                                                                                                                                                                          • DestroyWindow.USER32 ref: 00952B52
                                                                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 00952B6D
                                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00952B74
                                                                                                                                                                                                                                                          • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00952CA3
                                                                                                                                                                                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00952CB1
                                                                                                                                                                                                                                                          • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00952CF8
                                                                                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 00952D04
                                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00952D40
                                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00952D62
                                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00952D75
                                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00952D80
                                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00952D89
                                                                                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00952D98
                                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00952DA1
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00952DA8
                                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00952DB3
                                                                                                                                                                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00952DC5
                                                                                                                                                                                                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,0096FC38,00000000), ref: 00952DDB
                                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00952DEB
                                                                                                                                                                                                                                                          • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00952E11
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00952E30
                                                                                                                                                                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00952E52
                                                                                                                                                                                                                                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0095303F
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                                                                                                                                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                                                                                                                                                                                                                          • API String ID: 2211948467-2373415609
                                                                                                                                                                                                                                                          • Opcode ID: f6bce93c675ab4b25caaf63be54783097c1306fe4b53f7efa45c24ec3dc01965
                                                                                                                                                                                                                                                          • Instruction ID: 2c518db1daa6ba98b83e4f4f184761485fee15d0d32cd2e89e59033dbafa41be
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6bce93c675ab4b25caaf63be54783097c1306fe4b53f7efa45c24ec3dc01965
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB029BB1A10205EFDB14DF68DC89EAE7BB9FF49311F008159F915AB2A1CB74AD04DB60
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00952711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • DestroyWindow.USER32(00000000), ref: 0095273E
                                                                                                                                                                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0095286A
                                                                                                                                                                                                                                                          • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 009528A9
                                                                                                                                                                                                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 009528B9
                                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00952900
                                                                                                                                                                                                                                                          • GetClientRect.USER32(00000000,?), ref: 0095290C
                                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00952955
                                                                                                                                                                                                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00952964
                                                                                                                                                                                                                                                          • GetStockObject.GDI32(00000011), ref: 00952974
                                                                                                                                                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00952978
                                                                                                                                                                                                                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00952988
                                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00952991
                                                                                                                                                                                                                                                          • DeleteDC.GDI32(00000000), ref: 0095299A
                                                                                                                                                                                                                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 009529C6
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 009529DD
                                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00952A1D
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00952A31
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00952A42
                                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00952A77
                                                                                                                                                                                                                                                          • GetStockObject.GDI32(00000011), ref: 00952A82
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00952A8D
                                                                                                                                                                                                                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00952A97
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                                                                                                                                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                                                                                                                                                                          • API String ID: 2910397461-517079104
                                                                                                                                                                                                                                                          • Opcode ID: fa8cd7d094f7f5bf435c45e0428c974255d041633816ebb53c8ef1aa2b166263
                                                                                                                                                                                                                                                          • Instruction ID: 5e78c484005fc9d2b9fb0738bf72d3f49bc779cb279427dd1497510b69c5d6bb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa8cd7d094f7f5bf435c45e0428c974255d041633816ebb53c8ef1aa2b166263
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BB16CB1A10215AFEB14DFA8DC45FAE7BB9FB49711F008219F914E7290DBB4AD40DB90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00944ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00944AED
                                                                                                                                                                                                                                                          • GetDriveTypeW.KERNEL32(?,0096CB68,?,\\.\,0096CC08), ref: 00944BCA
                                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000,0096CB68,?,\\.\,0096CC08), ref: 00944D36
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorMode$DriveType
                                                                                                                                                                                                                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                                                                                                                                                                          • API String ID: 2907320926-4222207086
                                                                                                                                                                                                                                                          • Opcode ID: 5131885207e07a3a93fe12319e963c8d7b5feda8f1e3d6ff5fa8b67a3770a340
                                                                                                                                                                                                                                                          • Instruction ID: 234f9d0f2107bdb915a560d52d2fd8891ef7600d521e5f7aef1cd3e4f0498c12
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5131885207e07a3a93fe12319e963c8d7b5feda8f1e3d6ff5fa8b67a3770a340
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4161B4306052059BCF14DF28CAC2EBD77A4FB8534AB284916F886EB2D1DB35ED41DB42
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00960FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 00961128
                                                                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 0096113D
                                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00961144
                                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00961199
                                                                                                                                                                                                                                                          • DestroyWindow.USER32(?), ref: 009611B9
                                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009611ED
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0096120B
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0096121D
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000421,?,?), ref: 00961232
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00961245
                                                                                                                                                                                                                                                          • IsWindowVisible.USER32(00000000), ref: 009612A1
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 009612BC
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 009612D0
                                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000,?), ref: 009612E8
                                                                                                                                                                                                                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 0096130E
                                                                                                                                                                                                                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00961328
                                                                                                                                                                                                                                                          • CopyRect.USER32(?,?), ref: 0096133F
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000412,00000000), ref: 009613AA
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                                                                                                                                                                          • String ID: ($0$tooltips_class32
                                                                                                                                                                                                                                                          • API String ID: 698492251-4156429822
                                                                                                                                                                                                                                                          • Opcode ID: bbd15123f5282fe308135fa1a24b6ba3b420c2234cbec6cb790fdeb6ed822474
                                                                                                                                                                                                                                                          • Instruction ID: dbd46485fb417b1b532499404706ccc1688da6e7a4ac8cade8e82e303ac5bedd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bbd15123f5282fe308135fa1a24b6ba3b420c2234cbec6cb790fdeb6ed822474
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19B19E71608341AFDB04DF68C884B6ABBE4FF84354F048A1DF99A9B261C771E844CB96
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00960241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 009602E5
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0096031F
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00960389
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 009603F1
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00960475
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009604C5
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00960504
                                                                                                                                                                                                                                                            • Part of subcall function 008EF9F2: _wcslen.LIBCMT ref: 008EF9FD
                                                                                                                                                                                                                                                            • Part of subcall function 0093223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00932258
                                                                                                                                                                                                                                                            • Part of subcall function 0093223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0093228A
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                                                                                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                                                                                                                                                                          • API String ID: 1103490817-719923060
                                                                                                                                                                                                                                                          • Opcode ID: 741c9ecd59702d73f938a46bb1ebc2cf26209264f3b3e013d393ab1cbad1a258
                                                                                                                                                                                                                                                          • Instruction ID: 575938feb59c9d67812dec76c71fc7b74ac686db254780acd53c00724f574d7d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 741c9ecd59702d73f938a46bb1ebc2cf26209264f3b3e013d393ab1cbad1a258
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78E16C312182019BCB24DF29C59192BB7E6FFD8714F144A5DF8969B3A2EB30ED45CB42
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008E8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008E8968
                                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000007), ref: 008E8970
                                                                                                                                                                                                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008E899B
                                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000008), ref: 008E89A3
                                                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000004), ref: 008E89C8
                                                                                                                                                                                                                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 008E89E5
                                                                                                                                                                                                                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 008E89F5
                                                                                                                                                                                                                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 008E8A28
                                                                                                                                                                                                                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 008E8A3C
                                                                                                                                                                                                                                                          • GetClientRect.USER32(00000000,000000FF), ref: 008E8A5A
                                                                                                                                                                                                                                                          • GetStockObject.GDI32(00000011), ref: 008E8A76
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 008E8A81
                                                                                                                                                                                                                                                            • Part of subcall function 008E912D: GetCursorPos.USER32(?), ref: 008E9141
                                                                                                                                                                                                                                                            • Part of subcall function 008E912D: ScreenToClient.USER32(00000000,?), ref: 008E915E
                                                                                                                                                                                                                                                            • Part of subcall function 008E912D: GetAsyncKeyState.USER32(00000001), ref: 008E9183
                                                                                                                                                                                                                                                            • Part of subcall function 008E912D: GetAsyncKeyState.USER32(00000002), ref: 008E919D
                                                                                                                                                                                                                                                          • SetTimer.USER32(00000000,00000000,00000028,008E90FC), ref: 008E8AA8
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                                                                                                                                                                          • String ID: AutoIt v3 GUI
                                                                                                                                                                                                                                                          • API String ID: 1458621304-248962490
                                                                                                                                                                                                                                                          • Opcode ID: 5991e8a243778cf8ad2f000fce33e80c8c744e160e6c6e594d0f416ea4018a64
                                                                                                                                                                                                                                                          • Instruction ID: ae4276971843f18ad94a97b62c031f275f4393af04853ffd157db43cc7e29df9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5991e8a243778cf8ad2f000fce33e80c8c744e160e6c6e594d0f416ea4018a64
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23B19A75A0421AEFDB14DFA8EC45BAE3BB8FB49314F104229FA15E7290DB74A840DF51
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00930D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 009310F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00931114
                                                                                                                                                                                                                                                            • Part of subcall function 009310F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00930B9B,?,?,?), ref: 00931120
                                                                                                                                                                                                                                                            • Part of subcall function 009310F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00930B9B,?,?,?), ref: 0093112F
                                                                                                                                                                                                                                                            • Part of subcall function 009310F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00930B9B,?,?,?), ref: 00931136
                                                                                                                                                                                                                                                            • Part of subcall function 009310F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0093114D
                                                                                                                                                                                                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00930DF5
                                                                                                                                                                                                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00930E29
                                                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00930E40
                                                                                                                                                                                                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00930E7A
                                                                                                                                                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00930E96
                                                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?), ref: 00930EAD
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00930EB5
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00930EBC
                                                                                                                                                                                                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00930EDD
                                                                                                                                                                                                                                                          • CopySid.ADVAPI32(00000000), ref: 00930EE4
                                                                                                                                                                                                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00930F13
                                                                                                                                                                                                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00930F35
                                                                                                                                                                                                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00930F47
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00930F6E
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00930F75
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00930F7E
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00930F85
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00930F8E
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00930F95
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00930FA1
                                                                                                                                                                                                                                                          • HeapFree.KERNEL32(00000000), ref: 00930FA8
                                                                                                                                                                                                                                                            • Part of subcall function 00931193: GetProcessHeap.KERNEL32(00000008,00930BB1,?,00000000,?,00930BB1,?), ref: 009311A1
                                                                                                                                                                                                                                                            • Part of subcall function 00931193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00930BB1,?), ref: 009311A8
                                                                                                                                                                                                                                                            • Part of subcall function 00931193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00930BB1,?), ref: 009311B7
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4175595110-0
                                                                                                                                                                                                                                                          • Opcode ID: 965f982e264e175c9ec0d40c86301533ecf663e1c88a79b48b32f1e7bc816012
                                                                                                                                                                                                                                                          • Instruction ID: 58b133975c9a3f9f89c4dd6a2c5ba687d428e7ab6fa46d557bfd3a4b7577e12f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 965f982e264e175c9ec0d40c86301533ecf663e1c88a79b48b32f1e7bc816012
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC7159B290420AABDF209FA4DC48BAEBBBCBF45300F048219F959A6191D7719A05CF60
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0095C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0095C4BD
                                                                                                                                                                                                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,0096CC08,00000000,?,00000000,?,?), ref: 0095C544
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0095C5A4
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0095C5F4
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0095C66F
                                                                                                                                                                                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0095C6B2
                                                                                                                                                                                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0095C7C1
                                                                                                                                                                                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0095C84D
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?), ref: 0095C881
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0095C88E
                                                                                                                                                                                                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0095C960
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                                                                                                                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                                                                                                                                                                          • API String ID: 9721498-966354055
                                                                                                                                                                                                                                                          • Opcode ID: ff5d745aa26f6e4152100dc7b6f57368a16596eb7fab5b0679af204cae52886a
                                                                                                                                                                                                                                                          • Instruction ID: ba13e1d9b18c153e52ea52c124dc43874742c9e8a70a00195b2fe91445f29ecd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff5d745aa26f6e4152100dc7b6f57368a16596eb7fab5b0679af204cae52886a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C31269752042019FCB14DF19C881E2AB7E5FF88714F04895DF98A9B3A2DB31ED45CB82
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0096091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CharUpperBuffW.USER32(?,?), ref: 009609C6
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00960A01
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00960A54
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00960A8A
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00960B06
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00960B81
                                                                                                                                                                                                                                                            • Part of subcall function 008EF9F2: _wcslen.LIBCMT ref: 008EF9FD
                                                                                                                                                                                                                                                            • Part of subcall function 00932BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00932BFA
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                                                                                                                                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                                                                                                                                                                          • API String ID: 1103490817-4258414348
                                                                                                                                                                                                                                                          • Opcode ID: 87e2be5e7652952f066fbdb12c25529ee041eeb99ec93c81971e93fd294ae4d1
                                                                                                                                                                                                                                                          • Instruction ID: 491869a6a8b0ba93eeee478f8efc7ec742f2be3be05adb6d411fdc3b269d579b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 87e2be5e7652952f066fbdb12c25529ee041eeb99ec93c81971e93fd294ae4d1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57E157312083019FCB14DF69C49092AB7E6FFD8354B548A5DF8969B3A2DB31ED45CB82
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0095C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                                                                                                                                                                          • API String ID: 1256254125-909552448
                                                                                                                                                                                                                                                          • Opcode ID: aadf09255b19f3418f160ccfc4e4432c1b7ce5d9ba61cea41351cd19f6beedab
                                                                                                                                                                                                                                                          • Instruction ID: f793bc1113f948c62d592ff2d71e7f07c58761d875d7530151550ca3189baab1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aadf09255b19f3418f160ccfc4e4432c1b7ce5d9ba61cea41351cd19f6beedab
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD7125B261432A8FCF20DE7ECD415BB3799AB60755F140529FCA6E7285EA34CD48C3A1
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0096833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0096835A
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0096836E
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00968391
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 009683B4
                                                                                                                                                                                                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009683F2
                                                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00965BF2), ref: 0096844E
                                                                                                                                                                                                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00968487
                                                                                                                                                                                                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 009684CA
                                                                                                                                                                                                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00968501
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 0096850D
                                                                                                                                                                                                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0096851D
                                                                                                                                                                                                                                                          • DestroyIcon.USER32(?,?,?,?,?,00965BF2), ref: 0096852C
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00968549
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00968555
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                                                                                                                                                                          • String ID: .dll$.exe$.icl
                                                                                                                                                                                                                                                          • API String ID: 799131459-1154884017
                                                                                                                                                                                                                                                          • Opcode ID: a285f2623fa7a6a1c4ebd8b10839dbc8f0d86e182364605df5b7298794adcc4d
                                                                                                                                                                                                                                                          • Instruction ID: a11a9bedcf206dc5bb0cc706b311fc66a5b98358d06e3eec0048a2674c7ec0e5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a285f2623fa7a6a1c4ebd8b10839dbc8f0d86e182364605df5b7298794adcc4d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA61DF71614219BAEB14DF64CC81BBF77ACFB04711F10464AF916D61E1EFB4AA80D7A0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008F00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 008F00C6
                                                                                                                                                                                                                                                            • Part of subcall function 008F00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(009A070C,00000FA0,A8BC04BA,?,?,?,?,009123B3,000000FF), ref: 008F011C
                                                                                                                                                                                                                                                            • Part of subcall function 008F00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009123B3,000000FF), ref: 008F0127
                                                                                                                                                                                                                                                            • Part of subcall function 008F00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009123B3,000000FF), ref: 008F0138
                                                                                                                                                                                                                                                            • Part of subcall function 008F00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 008F014E
                                                                                                                                                                                                                                                            • Part of subcall function 008F00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 008F015C
                                                                                                                                                                                                                                                            • Part of subcall function 008F00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 008F016A
                                                                                                                                                                                                                                                            • Part of subcall function 008F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008F0195
                                                                                                                                                                                                                                                            • Part of subcall function 008F00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 008F01A0
                                                                                                                                                                                                                                                          • ___scrt_fastfail.LIBCMT ref: 008F00E7
                                                                                                                                                                                                                                                            • Part of subcall function 008F00A3: __onexit.LIBCMT ref: 008F00A9
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 008F0122
                                                                                                                                                                                                                                                          • SleepConditionVariableCS, xrefs: 008F0154
                                                                                                                                                                                                                                                          • InitializeConditionVariable, xrefs: 008F0148
                                                                                                                                                                                                                                                          • WakeAllConditionVariable, xrefs: 008F0162
                                                                                                                                                                                                                                                          • kernel32.dll, xrefs: 008F0133
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                                                                                                                                                                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                                                                                                                                                                          • API String ID: 66158676-1714406822
                                                                                                                                                                                                                                                          • Opcode ID: b4303df874bc79ffa615aafb1f148e32acdf42015e783b8511d6e4b27eca1c3c
                                                                                                                                                                                                                                                          • Instruction ID: 297cb7b57a7bebe5ced3627c48e6a263bdbf7f9fc127e27557547d7c95d07b80
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4303df874bc79ffa615aafb1f148e32acdf42015e783b8511d6e4b27eca1c3c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5321267265D7196FE7106BB8AC15B7A3394FB86B54F01013AFA01E72D2DFB0A8409E91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009444C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CharLowerBuffW.USER32(00000000,00000000,0096CC08), ref: 00944527
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0094453B
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00944599
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 009445F4
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0094463F
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 009446A7
                                                                                                                                                                                                                                                            • Part of subcall function 008EF9F2: _wcslen.LIBCMT ref: 008EF9FD
                                                                                                                                                                                                                                                          • GetDriveTypeW.KERNEL32(?,00996BF0,00000061), ref: 00944743
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _wcslen$BuffCharDriveLowerType
                                                                                                                                                                                                                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                                                                                                                                                                          • API String ID: 2055661098-1000479233
                                                                                                                                                                                                                                                          • Opcode ID: 6975828f20751885a9afda7eff9c78e2953d3144604744ec30a605cf3ea091a7
                                                                                                                                                                                                                                                          • Instruction ID: 06150bfcc8c1c2d3003c44c6c22e886dd053c3b6cf9eb21fd568685e3cba18e6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6975828f20751885a9afda7eff9c78e2953d3144604744ec30a605cf3ea091a7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86B1CE716083029BCB20DF28C890E7AB7E9FFA5764F504A1EF596C7291E730D845CB92
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0095AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0095B198
                                                                                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0095B1B0
                                                                                                                                                                                                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0095B1D4
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0095B200
                                                                                                                                                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0095B214
                                                                                                                                                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0095B236
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0095B332
                                                                                                                                                                                                                                                            • Part of subcall function 009405A7: GetStdHandle.KERNEL32(000000F6), ref: 009405C6
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0095B34B
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0095B366
                                                                                                                                                                                                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0095B3B6
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000), ref: 0095B407
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0095B439
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0095B44A
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0095B45C
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0095B46E
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0095B4E3
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2178637699-0
                                                                                                                                                                                                                                                          • Opcode ID: 0da4aa330aee4040134aa7ffb5868597303cc54b5fa3435c8d469a068a913738
                                                                                                                                                                                                                                                          • Instruction ID: d85f68575e73aa97c0cdac47be519b35f4fef8968975c17fddca2f9255c51a92
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0da4aa330aee4040134aa7ffb5868597303cc54b5fa3435c8d469a068a913738
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 36F17C716083409FC724EF29C891B6ABBE5FF85314F14895EF8959B2A2DB31EC44CB52
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00966CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • DestroyWindow.USER32(00000000,?), ref: 00966DEB
                                                                                                                                                                                                                                                            • Part of subcall function 008D6B57: _wcslen.LIBCMT ref: 008D6B6A
                                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00966E5F
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00966E81
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00966E94
                                                                                                                                                                                                                                                          • DestroyWindow.USER32(?), ref: 00966EB5
                                                                                                                                                                                                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,008D0000,00000000), ref: 00966EE4
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00966EFD
                                                                                                                                                                                                                                                          • GetDesktopWindow.USER32 ref: 00966F16
                                                                                                                                                                                                                                                          • GetWindowRect.USER32(00000000), ref: 00966F1D
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00966F35
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00966F4D
                                                                                                                                                                                                                                                            • Part of subcall function 008E9944: GetWindowLongW.USER32(?,000000EB), ref: 008E9952
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                                                                                                                                                                                          • String ID: 0$tooltips_class32
                                                                                                                                                                                                                                                          • API String ID: 2429346358-3619404913
                                                                                                                                                                                                                                                          • Opcode ID: 053423cb94f3a338cebaf3545931e8959c52edd773a71ea11814e0ab0ac6ffda
                                                                                                                                                                                                                                                          • Instruction ID: ae2495e6d64d356b511f7f67141b937d7606fb5d8d7983d33ea990809edd3196
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 053423cb94f3a338cebaf3545931e8959c52edd773a71ea11814e0ab0ac6ffda
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B7177B4108245AFDB21CF18DC48EBBBBE9FB99304F04091EF99987261C771E916DB16
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0094C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0094C4B0
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0094C4C3
                                                                                                                                                                                                                                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0094C4D7
                                                                                                                                                                                                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0094C4F0
                                                                                                                                                                                                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0094C533
                                                                                                                                                                                                                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0094C549
                                                                                                                                                                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0094C554
                                                                                                                                                                                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0094C584
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0094C5DC
                                                                                                                                                                                                                                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0094C5F0
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0094C5FB
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3800310941-3916222277
                                                                                                                                                                                                                                                          • Opcode ID: d5830195855593ae0cf80a9a208a585a2252781c1508449a446376035ce6b2df
                                                                                                                                                                                                                                                          • Instruction ID: 6b77f34c5a89c488038adc4e6abd0a6deadab5237ff82e86baaa622ac0db66a7
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5830195855593ae0cf80a9a208a585a2252781c1508449a446376035ce6b2df
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C515AF0515209BFDB619FA5C988EBB7BBCFF08754F00841EF98596210EB74E944AB60
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0096856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00968592
                                                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009685A2
                                                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009685AD
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009685BA
                                                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009685C8
                                                                                                                                                                                                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009685D7
                                                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009685E0
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009685E7
                                                                                                                                                                                                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 009685F8
                                                                                                                                                                                                                                                          • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0096FC38,?), ref: 00968611
                                                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 00968621
                                                                                                                                                                                                                                                          • GetObjectW.GDI32(?,00000018,?), ref: 00968641
                                                                                                                                                                                                                                                          • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00968671
                                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00968699
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009686AF
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3840717409-0
                                                                                                                                                                                                                                                          • Opcode ID: 144bfac9482da31527786839c9da508c68f22e953b254ef1e1f4aa9e2b86abe0
                                                                                                                                                                                                                                                          • Instruction ID: cfabc2a0af2bf52c950c0fd3c905e6abe0e9f5cd9e781afd6b720ef859de91f6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 144bfac9482da31527786839c9da508c68f22e953b254ef1e1f4aa9e2b86abe0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B4148B1604208AFDB119FA5CC48EAB7BBCEF89B11F104159F956E7260DB709901DB20
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0095255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 009525D8
                                                                                                                                                                                                                                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 009525E8
                                                                                                                                                                                                                                                          • CreateCompatibleDC.GDI32(?), ref: 009525F4
                                                                                                                                                                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00952601
                                                                                                                                                                                                                                                          • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0095266D
                                                                                                                                                                                                                                                          • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 009526AC
                                                                                                                                                                                                                                                          • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 009526D0
                                                                                                                                                                                                                                                          • SelectObject.GDI32(?,?), ref: 009526D8
                                                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 009526E1
                                                                                                                                                                                                                                                          • DeleteDC.GDI32(?), ref: 009526E8
                                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,?), ref: 009526F3
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                                                                                                                                                                          • String ID: (
                                                                                                                                                                                                                                                          • API String ID: 2598888154-3887548279
                                                                                                                                                                                                                                                          • Opcode ID: bd963b81831c4945d63aed9c6e84447d232ff6c309750de37ec64f6507b3d58d
                                                                                                                                                                                                                                                          • Instruction ID: da771041d76f998406bbb68ea5cf7bf320ebe0238bfa6d6e9b3f003d09249f04
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd963b81831c4945d63aed9c6e84447d232ff6c309750de37ec64f6507b3d58d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE61F2B5D04219EFCF04CFA8D884AAEBBB5FF49310F20852AF955A7250D774A941DF90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00934954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00934994
                                                                                                                                                                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 009349DA
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 009349EB
                                                                                                                                                                                                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 009349F7
                                                                                                                                                                                                                                                          • _wcsstr.LIBVCRUNTIME ref: 00934A2C
                                                                                                                                                                                                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00934A64
                                                                                                                                                                                                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00934A9D
                                                                                                                                                                                                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00934AE6
                                                                                                                                                                                                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 00934B20
                                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 00934B8B
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                                                                                                                                                                                          • String ID: ThumbnailClass
                                                                                                                                                                                                                                                          • API String ID: 1311036022-1241985126
                                                                                                                                                                                                                                                          • Opcode ID: 837b1a49149cf7022a0e5dbee092d4b1d4b9bdd0c5b6b79924c1edd42cb7b84a
                                                                                                                                                                                                                                                          • Instruction ID: 03164b15f2380fa7ac71e5c45202d86a3d63cbba7b82efc8cf6608d69fc8fc50
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 837b1a49149cf7022a0e5dbee092d4b1d4b9bdd0c5b6b79924c1edd42cb7b84a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7191AC7110820A9FDB04CF14C985BAABBECFF84314F05846AFD859A196DB34ED45CFA2
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00968D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008E9BB2
                                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00968D5A
                                                                                                                                                                                                                                                          • GetFocus.USER32 ref: 00968D6A
                                                                                                                                                                                                                                                          • GetDlgCtrlID.USER32(00000000), ref: 00968D75
                                                                                                                                                                                                                                                          • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00968E1D
                                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00968ECF
                                                                                                                                                                                                                                                          • GetMenuItemCount.USER32(?), ref: 00968EEC
                                                                                                                                                                                                                                                          • GetMenuItemID.USER32(?,00000000), ref: 00968EFC
                                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00968F2E
                                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00968F70
                                                                                                                                                                                                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00968FA1
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                                                          • API String ID: 1026556194-4108050209
                                                                                                                                                                                                                                                          • Opcode ID: 6936fc288e06d5d0febb8acd7ca59841c7e56a33b53fcce7aeeddb2378efeda1
                                                                                                                                                                                                                                                          • Instruction ID: 8f2366d3cc1bbdc5297756261676da403ee4c425a0d9f8134c93fb1ff8478fb8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6936fc288e06d5d0febb8acd7ca59841c7e56a33b53fcce7aeeddb2378efeda1
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5581BEB1508301AFDB11DF24D884AABBBE9FF89354F140A1EF985D7291DB71D900DBA2
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0095CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0095CC64
                                                                                                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0095CC8D
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0095CD48
                                                                                                                                                                                                                                                            • Part of subcall function 0095CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0095CCAA
                                                                                                                                                                                                                                                            • Part of subcall function 0095CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0095CCBD
                                                                                                                                                                                                                                                            • Part of subcall function 0095CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0095CCCF
                                                                                                                                                                                                                                                            • Part of subcall function 0095CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0095CD05
                                                                                                                                                                                                                                                            • Part of subcall function 0095CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0095CD28
                                                                                                                                                                                                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 0095CCF3
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                                                                                                                                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                                                                                                                                                                          • API String ID: 2734957052-4033151799
                                                                                                                                                                                                                                                          • Opcode ID: 992e8758e39092c46b0d8d9b0ec772d8c46946cef90b214fe334d50654dd34bf
                                                                                                                                                                                                                                                          • Instruction ID: bb29e94d9fddc984df5c72fd52d62b56809d2d5a47f5993fa9c6bbf6c5ffa319
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 992e8758e39092c46b0d8d9b0ec772d8c46946cef90b214fe334d50654dd34bf
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 173190B1905218BFDB20DB95DC88EFFBB7CEF42741F000469F945E2140DAB48A49ABA0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • timeGetTime.WINMM ref: 0093E6B4
                                                                                                                                                                                                                                                            • Part of subcall function 008EE551: timeGetTime.WINMM(?,?,0093E6D4), ref: 008EE555
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(0000000A), ref: 0093E6E1
                                                                                                                                                                                                                                                          • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0093E705
                                                                                                                                                                                                                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0093E727
                                                                                                                                                                                                                                                          • SetActiveWindow.USER32 ref: 0093E746
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0093E754
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 0093E773
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(000000FA), ref: 0093E77E
                                                                                                                                                                                                                                                          • IsWindow.USER32 ref: 0093E78A
                                                                                                                                                                                                                                                          • EndDialog.USER32(00000000), ref: 0093E79B
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                                                                                                                                                                          • String ID: BUTTON
                                                                                                                                                                                                                                                          • API String ID: 1194449130-3405671355
                                                                                                                                                                                                                                                          • Opcode ID: 58f92de93c68be76bd0d697460b1ac928db3c86da89f5e4bbef0c4c0b2c3e8b3
                                                                                                                                                                                                                                                          • Instruction ID: da24accfe5a394399af642ff9f251080d10bfd57583c814774f281f6bde3410e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 58f92de93c68be76bd0d697460b1ac928db3c86da89f5e4bbef0c4c0b2c3e8b3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D72184B0268205AFEB105F64EC99A393B6DFB56349F10042AF456826E1DBB1AC00AF65
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008D9CB3: _wcslen.LIBCMT ref: 008D9CBD
                                                                                                                                                                                                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0093EA5D
                                                                                                                                                                                                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0093EA73
                                                                                                                                                                                                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0093EA84
                                                                                                                                                                                                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0093EA96
                                                                                                                                                                                                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0093EAA7
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: SendString$_wcslen
                                                                                                                                                                                                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                                                                                                                                                                          • API String ID: 2420728520-1007645807
                                                                                                                                                                                                                                                          • Opcode ID: 36755f45f3310dffaffa3a717d10f908a08e1c6c3d69a3e6a47053d367e64baa
                                                                                                                                                                                                                                                          • Instruction ID: 8f54e6813c13f1c3277d38bcc98fee1883aba34d997bab0056753acb83deb4dc
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 36755f45f3310dffaffa3a717d10f908a08e1c6c3d69a3e6a47053d367e64baa
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6118631A5026979DB20A7AADC4AEFF6B7CFBD1F44F00052AB401E21D1EEB05D45C9B2
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008E8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008E8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,008E8BE8,?,00000000,?,?,?,?,008E8BBA,00000000,?), ref: 008E8FC5
                                                                                                                                                                                                                                                          • DestroyWindow.USER32(?), ref: 008E8C81
                                                                                                                                                                                                                                                          • KillTimer.USER32(00000000,?,?,?,?,008E8BBA,00000000,?), ref: 008E8D1B
                                                                                                                                                                                                                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 00926973
                                                                                                                                                                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,008E8BBA,00000000,?), ref: 009269A1
                                                                                                                                                                                                                                                          • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,008E8BBA,00000000,?), ref: 009269B8
                                                                                                                                                                                                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,008E8BBA,00000000), ref: 009269D4
                                                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 009269E6
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 641708696-0
                                                                                                                                                                                                                                                          • Opcode ID: 975b5ada231a1b4de99b07ca8bab5e3aafb1dcfd35bb361cea9aca77bf1a38bf
                                                                                                                                                                                                                                                          • Instruction ID: ff9197f9e2a690fccba8d339c385e5c78d052658301eff7bb7ed977fed93e5f0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 975b5ada231a1b4de99b07ca8bab5e3aafb1dcfd35bb361cea9aca77bf1a38bf
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6561CD30116650DFCB659F1AE948B2A77F1FF83316F20851DE0869B960CB75AD80EF90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009306DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008D6B57: _wcslen.LIBCMT ref: 008D6B6A
                                                                                                                                                                                                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009307A2
                                                                                                                                                                                                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009307BE
                                                                                                                                                                                                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009307DA
                                                                                                                                                                                                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00930804
                                                                                                                                                                                                                                                          • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 0093082C
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00930837
                                                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0093083C
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                                                                                                                                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                                                                                                                                                                          • API String ID: 323675364-22481851
                                                                                                                                                                                                                                                          • Opcode ID: ded254ff3deafe7fd4231b52e02f0a5b5176ca270d15b3337ea7282a24ceb4d0
                                                                                                                                                                                                                                                          • Instruction ID: 4104f0ac7e980f448414ea91fe4c86d817ec7e6a56c7404db1519c6d44a1f419
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ded254ff3deafe7fd4231b52e02f0a5b5176ca270d15b3337ea7282a24ceb4d0
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0412972C10228ABDF15EBA8DC958EEB778FF44350F15412AF941A3260EB709E04CF91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0095055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • WSAStartup.WSOCK32(00000101,?), ref: 009505BC
                                                                                                                                                                                                                                                          • inet_addr.WSOCK32(?), ref: 0095061C
                                                                                                                                                                                                                                                          • gethostbyname.WSOCK32(?), ref: 00950628
                                                                                                                                                                                                                                                          • IcmpCreateFile.IPHLPAPI ref: 00950636
                                                                                                                                                                                                                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009506C6
                                                                                                                                                                                                                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009506E5
                                                                                                                                                                                                                                                          • IcmpCloseHandle.IPHLPAPI(?), ref: 009507B9
                                                                                                                                                                                                                                                          • WSACleanup.WSOCK32 ref: 009507BF
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                                                                                                                                                                          • String ID: Ping
                                                                                                                                                                                                                                                          • API String ID: 1028309954-2246546115
                                                                                                                                                                                                                                                          • Opcode ID: 253beaa8aa4c9adaf8cc9a5674d1fc96dc7875be69be55233e543790b7d68767
                                                                                                                                                                                                                                                          • Instruction ID: bdc2b9f3d606fa1c8ac0ace8ad325023a2a088050d09cdd596181bf5e1cfb635
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 253beaa8aa4c9adaf8cc9a5674d1fc96dc7875be69be55233e543790b7d68767
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 659180755082019FD320DF1AD889B16BBE4FF88318F158599F8698B7A2D770ED45CF81
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00958CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _wcslen$BuffCharLower
                                                                                                                                                                                                                                                          • String ID: cdecl$none$stdcall$winapi
                                                                                                                                                                                                                                                          • API String ID: 707087890-567219261
                                                                                                                                                                                                                                                          • Opcode ID: 316d981365d7b2e2552234395263fc976caa0f355ef6dea5a8863b9bd7012a74
                                                                                                                                                                                                                                                          • Instruction ID: 926e9b1c613efbe21819adeb73bfe822d68860a6a5c62cfe9efab34e9ee2f534
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 316d981365d7b2e2552234395263fc976caa0f355ef6dea5a8863b9bd7012a74
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB519F31A001169ACB24EF6DC8419BFB7F9BF64725B204629E866F72C4EB35DD48C790
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00948195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLocalTime.KERNEL32(?), ref: 00948257
                                                                                                                                                                                                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00948267
                                                                                                                                                                                                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00948273
                                                                                                                                                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00948310
                                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00948324
                                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00948356
                                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0094838C
                                                                                                                                                                                                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00948395
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                                                                                                                                                                          • String ID: *.*
                                                                                                                                                                                                                                                          • API String ID: 1464919966-438819550
                                                                                                                                                                                                                                                          • Opcode ID: c633c1e3f1066a21b63b843997773f578a68ffe5c15c71a0cca9d63d17591c67
                                                                                                                                                                                                                                                          • Instruction ID: 99072dcb40c69a8befad2338b08725772c00935b588f55b60e7e0c4528ae6aee
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c633c1e3f1066a21b63b843997773f578a68ffe5c15c71a0cca9d63d17591c67
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 536125B25082059FCB10EF64D840DAFB3E8FF89314F04891AF999D7251EB75E945CB92
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00902C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902C94
                                                                                                                                                                                                                                                            • Part of subcall function 009029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0090D7D1,00000000,00000000,00000000,00000000,?,0090D7F8,00000000,00000007,00000000,?,0090DBF5,00000000), ref: 009029DE
                                                                                                                                                                                                                                                            • Part of subcall function 009029C8: GetLastError.KERNEL32(00000000,?,0090D7D1,00000000,00000000,00000000,00000000,?,0090D7F8,00000000,00000007,00000000,?,0090DBF5,00000000,00000000), ref: 009029F0
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902CA0
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902CAB
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902CB6
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902CC1
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902CCC
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902CD7
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902CE2
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902CED
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902CFB
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                                          • Opcode ID: ba4e4a4d9b542d2914e4c968ddb028d2d11669ff0e70ef16ce9cdec100793f75
                                                                                                                                                                                                                                                          • Instruction ID: 29399c34aaf14a7c5250b785b9b59074ae5263568f3ebbf91d9801d07da81110
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba4e4a4d9b542d2914e4c968ddb028d2d11669ff0e70ef16ce9cdec100793f75
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9711C876100108BFCB02EF54DA86EDD3BA9FF45350F6144A5FA589F2B2DA31EE509B90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00968B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008E9BB2
                                                                                                                                                                                                                                                            • Part of subcall function 008E912D: GetCursorPos.USER32(?), ref: 008E9141
                                                                                                                                                                                                                                                            • Part of subcall function 008E912D: ScreenToClient.USER32(00000000,?), ref: 008E915E
                                                                                                                                                                                                                                                            • Part of subcall function 008E912D: GetAsyncKeyState.USER32(00000001), ref: 008E9183
                                                                                                                                                                                                                                                            • Part of subcall function 008E912D: GetAsyncKeyState.USER32(00000002), ref: 008E919D
                                                                                                                                                                                                                                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00968B6B
                                                                                                                                                                                                                                                          • ImageList_EndDrag.COMCTL32 ref: 00968B71
                                                                                                                                                                                                                                                          • ReleaseCapture.USER32 ref: 00968B77
                                                                                                                                                                                                                                                          • SetWindowTextW.USER32(?,00000000), ref: 00968C12
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00968C25
                                                                                                                                                                                                                                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00968CFF
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                                                                                                                                                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                                                                                                                                                                          • API String ID: 1924731296-2107944366
                                                                                                                                                                                                                                                          • Opcode ID: a5beb96da6293e7c3a234c19244c513c888e8a0c53eac0ce66eca334acdf7021
                                                                                                                                                                                                                                                          • Instruction ID: 751a2eebc87c2542aecaae70d14776290f2b47afe5bc7cc05517f4594911f8ad
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a5beb96da6293e7c3a234c19244c513c888e8a0c53eac0ce66eca334acdf7021
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64517B70118300AFD704DF28DC5AFAB77E4FB89754F40062EF996A72A1DB749904DBA2
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0094C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0094C272
                                                                                                                                                                                                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0094C29A
                                                                                                                                                                                                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0094C2CA
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0094C322
                                                                                                                                                                                                                                                          • SetEvent.KERNEL32(?), ref: 0094C336
                                                                                                                                                                                                                                                          • InternetCloseHandle.WININET(00000000), ref: 0094C341
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3113390036-3916222277
                                                                                                                                                                                                                                                          • Opcode ID: 2d61d45a654860d78d4cec8d1a8d0b02b304013feba6c49ff79d76a81d7d977e
                                                                                                                                                                                                                                                          • Instruction ID: 08989494f8f34d949fe28eeec4b5bb8fd30291b09be6619f12812625294764b9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d61d45a654860d78d4cec8d1a8d0b02b304013feba6c49ff79d76a81d7d977e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F317CF1605208AFD7619FA48C88EBB7BFCEB49744B14851EF486D2210DB74DD049B61
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetParent.USER32 ref: 009320AB
                                                                                                                                                                                                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 009320C0
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0093214D
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ClassMessageNameParentSend
                                                                                                                                                                                                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                                                                                                                                                                          • API String ID: 1290815626-3381328864
                                                                                                                                                                                                                                                          • Opcode ID: 33d401f6a0a3900ffcc7cb141dbfc1b2102ad13543896cfcf90fa53841298a15
                                                                                                                                                                                                                                                          • Instruction ID: 7d6de2527fcadcfb2ba4d497394e006a43162e43b8da321ed4def4824bfa4f53
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 33d401f6a0a3900ffcc7cb141dbfc1b2102ad13543896cfcf90fa53841298a15
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC11067668C70BB9FA022378DC06DB7379CDB05328F21015AFB04E50E1EAB5A8025A28
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00908D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 1ef27eb0ca74d914aad7b918dcded5596154b3aca062b3126f89aefc483258a4
                                                                                                                                                                                                                                                          • Instruction ID: 076f8ce134e2d1408a379e5a8ffc999d570809b53c01aea702c5e4c34d1ce855
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ef27eb0ca74d914aad7b918dcded5596154b3aca062b3126f89aefc483258a4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6DC1F2B4A04249AFDF11DFA8C841BAEBBB8BF4A310F144199FA54A73D3C7749941CB61
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0090CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1282221369-0
                                                                                                                                                                                                                                                          • Opcode ID: a4a28d249eb9f4391a83c9ffd25953590065ac7e4548005601830b259d6a3ac7
                                                                                                                                                                                                                                                          • Instruction ID: 2ff6ac5db1d9f8dde9e65f23a41108d69506d79c4f4a188204121a6a7554dbb5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4a28d249eb9f4391a83c9ffd25953590065ac7e4548005601830b259d6a3ac7
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9615AF2904302AFDB21AFB4D885B6D7BADEF45310F14426DFA44A72C2D6319D019791
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008E8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00926890
                                                                                                                                                                                                                                                          • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009268A9
                                                                                                                                                                                                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009268B9
                                                                                                                                                                                                                                                          • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009268D1
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009268F2
                                                                                                                                                                                                                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008E8874,00000000,00000000,00000000,000000FF,00000000), ref: 00926901
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0092691E
                                                                                                                                                                                                                                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,008E8874,00000000,00000000,00000000,000000FF,00000000), ref: 0092692D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1268354404-0
                                                                                                                                                                                                                                                          • Opcode ID: d34c7641787861ccdeeaa02195724fd125e1a18bf53a4781f2d95253fd9f8b90
                                                                                                                                                                                                                                                          • Instruction ID: 9b853a2db93a31cf041582b706052677e7675214bb2baa84591c00327d502cf9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d34c7641787861ccdeeaa02195724fd125e1a18bf53a4781f2d95253fd9f8b90
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 575199B4610209EFDB20CF25DC55BAA7BB9FF89360F104518F956D72A0DBB0E990EB40
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0094C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0094C182
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0094C195
                                                                                                                                                                                                                                                          • SetEvent.KERNEL32(?), ref: 0094C1A9
                                                                                                                                                                                                                                                            • Part of subcall function 0094C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0094C272
                                                                                                                                                                                                                                                            • Part of subcall function 0094C253: GetLastError.KERNEL32 ref: 0094C322
                                                                                                                                                                                                                                                            • Part of subcall function 0094C253: SetEvent.KERNEL32(?), ref: 0094C336
                                                                                                                                                                                                                                                            • Part of subcall function 0094C253: InternetCloseHandle.WININET(00000000), ref: 0094C341
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 337547030-0
                                                                                                                                                                                                                                                          • Opcode ID: dffac8b7f447351c1f947783efccf40fd450853037b3b19e05b923bcdce3ae6a
                                                                                                                                                                                                                                                          • Instruction ID: ff0b359c176f65b22887f9a224a00bb11cbe08ef73bbf86651fefff5cef2f157
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dffac8b7f447351c1f947783efccf40fd450853037b3b19e05b923bcdce3ae6a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB31AEB1206641BFDB619FB5DC04E76BBFCFF58300B00442DF9AA82620D7B1E814AB60
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009325A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 00933A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00933A57
                                                                                                                                                                                                                                                            • Part of subcall function 00933A3D: GetCurrentThreadId.KERNEL32 ref: 00933A5E
                                                                                                                                                                                                                                                            • Part of subcall function 00933A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009325B3), ref: 00933A65
                                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 009325BD
                                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 009325DB
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 009325DF
                                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 009325E9
                                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00932601
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00932605
                                                                                                                                                                                                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0093260F
                                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00932623
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00932627
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2014098862-0
                                                                                                                                                                                                                                                          • Opcode ID: e898ad12ffac83e8a3f67e813b502625b0dde11ce769e3c4aa115cd688fecbf5
                                                                                                                                                                                                                                                          • Instruction ID: 40a793d2da9702ed15077885a5797bedb5d2dbc11a6ed26fd53194f47896c29c
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e898ad12ffac83e8a3f67e813b502625b0dde11ce769e3c4aa115cd688fecbf5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A01D4703A8210BBFB107768DC8AF693F59DF8EB12F110006F358AE0E1C9E224449E69
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0095A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 0093D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0093D501
                                                                                                                                                                                                                                                            • Part of subcall function 0093D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0093D50F
                                                                                                                                                                                                                                                            • Part of subcall function 0093D4DC: CloseHandle.KERNEL32(00000000), ref: 0093D5DC
                                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0095A16D
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 0095A180
                                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0095A1B3
                                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0095A268
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(00000000), ref: 0095A273
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 0095A2C4
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                                                                                                                                                                                          • String ID: SeDebugPrivilege
                                                                                                                                                                                                                                                          • API String ID: 2533919879-2896544425
                                                                                                                                                                                                                                                          • Opcode ID: ae2768572de53b46d7a4f006df78ee273f1d8a4abec755b35d7eaa1ae41b649b
                                                                                                                                                                                                                                                          • Instruction ID: a5cc94904f5052421be1f53cd2785345ed8ccc3c77d00c7757740e758f64f353
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae2768572de53b46d7a4f006df78ee273f1d8a4abec755b35d7eaa1ae41b649b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3661AE702082429FD710DF1AC495F25BBE5AF44319F14858CE8668B7A3C7B6EC49CB96
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LoadIconW.USER32(00000000,00007F03), ref: 0093C913
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: IconLoad
                                                                                                                                                                                                                                                          • String ID: blank$info$question$stop$warning
                                                                                                                                                                                                                                                          • API String ID: 2457776203-404129466
                                                                                                                                                                                                                                                          • Opcode ID: dc36ae235509e95e1fa4cd4b13ced275daacb1e065e6d2c8a666301b0d6eed8e
                                                                                                                                                                                                                                                          • Instruction ID: a1ca0ccab7495fa2f19bed481d924e9d8a615636e6ea3fed999c1af5337881ac
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc36ae235509e95e1fa4cd4b13ced275daacb1e065e6d2c8a666301b0d6eed8e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43113D72689B0ABAEB009B689C83DBB779CDF15318F11006FF500F6282D7B46F005B65
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _wcslen$LocalTime
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 952045576-0
                                                                                                                                                                                                                                                          • Opcode ID: 7ca048f239ecae4fbece5ae15c15ef225bfae6f86197e366b886fd4bfc2cc278
                                                                                                                                                                                                                                                          • Instruction ID: 82bb24023cbbaf1538dbb8587d36e2c450c83d68f42fdf4589335954a82a8842
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ca048f239ecae4fbece5ae15c15ef225bfae6f86197e366b886fd4bfc2cc278
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F741D065D1021C75CB10EBB8888A9DFB7A9FF45700F008526F618E3161FB34E251C7E6
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00962D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00962D1B
                                                                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 00962D23
                                                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00962D2E
                                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 00962D3A
                                                                                                                                                                                                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00962D76
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00962D87
                                                                                                                                                                                                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00965A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00962DC2
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00962DE1
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3864802216-0
                                                                                                                                                                                                                                                          • Opcode ID: f1a3f8426d86034b504aa75af6a3808c9f0c07bbfa5f154e5dd40cec60fdf1b2
                                                                                                                                                                                                                                                          • Instruction ID: 1079056c0300d4fcdd7e723bcb039fba0d18d6f8ad7257798257879719e85b82
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f1a3f8426d86034b504aa75af6a3808c9f0c07bbfa5f154e5dd40cec60fdf1b2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 20317AB2215614BFEB218F50CC8AFFB3BADEF09755F044059FE489A291C6B59C50CBA4
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00954FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                                                                                                                                                                                                                          • API String ID: 0-572801152
                                                                                                                                                                                                                                                          • Opcode ID: 8a5ac5beef1e762673740cf828daea280b1ba35adf469ff397ac581c1bf301a4
                                                                                                                                                                                                                                                          • Instruction ID: 50358b96196bd3a20d0f715118b4705097f768a5f798b0d1ad80e20cc0f015c9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a5ac5beef1e762673740cf828daea280b1ba35adf469ff397ac581c1bf301a4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DCD1D571A0060A9FDF10CFA9C890BAEB7B9BF48344F158469ED15AB282D770DD49CB50
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00954523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Variant$ClearInit
                                                                                                                                                                                                                                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                                                                                                                                                                          • API String ID: 2610073882-625585964
                                                                                                                                                                                                                                                          • Opcode ID: 5e2879e2b6b73646a47acccda63cf4b20deec127ce6b8a331cdc6e85b3ac82ed
                                                                                                                                                                                                                                                          • Instruction ID: 2a68b960ed9d2fdc9781ac2c0be10d7f0c96f6d55d85d4d58f9502cfe86b27db
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e2879e2b6b73646a47acccda63cf4b20deec127ce6b8a331cdc6e85b3ac82ed
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01919671A04219AFDF60CFA6CC44FAEB7B8EF45719F108559F905AB280D7709989CFA0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00954BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 0093000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0092FF41,80070057,?,?,?,0093035E), ref: 0093002B
                                                                                                                                                                                                                                                            • Part of subcall function 0093000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0092FF41,80070057,?,?), ref: 00930046
                                                                                                                                                                                                                                                            • Part of subcall function 0093000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0092FF41,80070057,?,?), ref: 00930054
                                                                                                                                                                                                                                                            • Part of subcall function 0093000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0092FF41,80070057,?), ref: 00930064
                                                                                                                                                                                                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00954C51
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00954D59
                                                                                                                                                                                                                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00954DCF
                                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(?), ref: 00954DDA
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                                                                                                                                                                                          • String ID: NULL Pointer assignment
                                                                                                                                                                                                                                                          • API String ID: 614568839-2785691316
                                                                                                                                                                                                                                                          • Opcode ID: 0791b6c4e9f720cf926eeeb2513887b9ca89ae4c51ec8796b5a0d982c2b42425
                                                                                                                                                                                                                                                          • Instruction ID: f1138fa56fa0ef61336d6d69f668c995ab1ef5bb99c0af2dd7440336ebcefc16
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0791b6c4e9f720cf926eeeb2513887b9ca89ae4c51ec8796b5a0d982c2b42425
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 46914871D0021DAFDF14DFA5D891AEEB7B8FF48314F10426AE915A7291DB309A48CFA1
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009620FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetMenu.USER32(?), ref: 00962183
                                                                                                                                                                                                                                                          • GetMenuItemCount.USER32(00000000), ref: 009621B5
                                                                                                                                                                                                                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009621DD
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00962213
                                                                                                                                                                                                                                                          • GetMenuItemID.USER32(?,?), ref: 0096224D
                                                                                                                                                                                                                                                          • GetSubMenu.USER32(?,?), ref: 0096225B
                                                                                                                                                                                                                                                            • Part of subcall function 00933A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00933A57
                                                                                                                                                                                                                                                            • Part of subcall function 00933A3D: GetCurrentThreadId.KERNEL32 ref: 00933A5E
                                                                                                                                                                                                                                                            • Part of subcall function 00933A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,009325B3), ref: 00933A65
                                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009622E3
                                                                                                                                                                                                                                                            • Part of subcall function 0093E97B: Sleep.KERNEL32 ref: 0093E9F3
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4196846111-0
                                                                                                                                                                                                                                                          • Opcode ID: 4371285feaf6468155661e7e9113529257a3c41517495a72ecee97e0c819aed3
                                                                                                                                                                                                                                                          • Instruction ID: 05e4357e341201ee649b798d849c8b19489da10eb0ca2bb3ddfee9c8f26c5c40
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4371285feaf6468155661e7e9113529257a3c41517495a72ecee97e0c819aed3
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3471AD75E04605AFCB04DF68C881AAEB7F5FF89310F108459E826EB341DB74EE418B90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetParent.USER32(?), ref: 0093AEF9
                                                                                                                                                                                                                                                          • GetKeyboardState.USER32(?), ref: 0093AF0E
                                                                                                                                                                                                                                                          • SetKeyboardState.USER32(?), ref: 0093AF6F
                                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 0093AF9D
                                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 0093AFBC
                                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 0093AFFD
                                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 0093B020
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 87235514-0
                                                                                                                                                                                                                                                          • Opcode ID: 1e93d5df25b9ba4bcbf76470a007095258b817367d1cbb947012298c37ce3aa8
                                                                                                                                                                                                                                                          • Instruction ID: 97948b1c47197ce173f8eff726821d3bfbc3cf917cacd39ebf3ea16f0a936ba8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e93d5df25b9ba4bcbf76470a007095258b817367d1cbb947012298c37ce3aa8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8251B1A06187D53DFB364234CC45BBBBEAD5B06304F088589F2E9598D2C3D9ACC8DB51
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetParent.USER32(00000000), ref: 0093AD19
                                                                                                                                                                                                                                                          • GetKeyboardState.USER32(?), ref: 0093AD2E
                                                                                                                                                                                                                                                          • SetKeyboardState.USER32(?), ref: 0093AD8F
                                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0093ADBB
                                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0093ADD8
                                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0093AE17
                                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0093AE38
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 87235514-0
                                                                                                                                                                                                                                                          • Opcode ID: 39c03f0ffce8afb3d2a416b3c890dc37156cc2252f878f8f647daec61047341b
                                                                                                                                                                                                                                                          • Instruction ID: d63fa6c5c6d7771ab0e3bf533d0d48c0aa0b03f706bd09efba50a65b10e3f3a5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39c03f0ffce8afb3d2a416b3c890dc37156cc2252f878f8f647daec61047341b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD51E5A16087D53DFB378334CC55B7ABEAD5B46304F088588E1E55A8C2D394EC88EB62
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008F2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 008F2D4B
                                                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 008F2D53
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 008F2DE1
                                                                                                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 008F2E0C
                                                                                                                                                                                                                                                          • _ValidateLocalCookies.LIBCMT ref: 008F2E61
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                                                          • String ID: csm
                                                                                                                                                                                                                                                          • API String ID: 1170836740-1018135373
                                                                                                                                                                                                                                                          • Opcode ID: 95156e68c11f86bdd14953a12f0f53c9386d1cfed3a39a589576ea82984e128b
                                                                                                                                                                                                                                                          • Instruction ID: 4e2640cb7655bf04fd1924bf2d2525395c56e2a0af7fb9cc76cb8cd48fac7826
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95156e68c11f86bdd14953a12f0f53c9386d1cfed3a39a589576ea82984e128b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C141A134A0020DABCF10EF78C845ABEBBA5FF45368F148165EA14EB292D7359A51CB91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00962DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 00962E1C
                                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00962E4F
                                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00962E84
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000F1,00000000,00000000), ref: 00962EB6
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 00962EE0
                                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00962EF1
                                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00962F0B
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: LongWindow$MessageSend
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2178440468-0
                                                                                                                                                                                                                                                          • Opcode ID: c2d79b3119a9519b87508fb454d554807f15dd56943a926fa1556cd3709d53c8
                                                                                                                                                                                                                                                          • Instruction ID: efe8d7fa97e77e889236f03e9210c911d8ab1198f57d984b27bf27fbddf9c2ad
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c2d79b3119a9519b87508fb454d554807f15dd56943a926fa1556cd3709d53c8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF312430658641AFDB22CF58ED84F6537E8FB9A710F150175F9518F2B1CBB2A840EB41
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009404D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 009404F2
                                                                                                                                                                                                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0094052E
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateHandlePipe
                                                                                                                                                                                                                                                          • String ID: nul
                                                                                                                                                                                                                                                          • API String ID: 1424370930-2873401336
                                                                                                                                                                                                                                                          • Opcode ID: 29215e2c4dc7ecbf792727306bf9131a03a4e64fe1094befcf789fbdeba81a4b
                                                                                                                                                                                                                                                          • Instruction ID: 0a944b446e202491a8faec3212d6e578da03eee313469305fe6ac76f367914cb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29215e2c4dc7ecbf792727306bf9131a03a4e64fe1094befcf789fbdeba81a4b
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E2151755003059BDB209F2AD844E5A77A8EFC5724F204A19F9A1D72E0E770D940DF20
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009405A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 009405C6
                                                                                                                                                                                                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00940601
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateHandlePipe
                                                                                                                                                                                                                                                          • String ID: nul
                                                                                                                                                                                                                                                          • API String ID: 1424370930-2873401336
                                                                                                                                                                                                                                                          • Opcode ID: ea1af8b2808f99af163ae25bcf39e438d6360bf51eecffa124cd4e274ce431f8
                                                                                                                                                                                                                                                          • Instruction ID: bc06bd05579e102a72de42e368ce4b1ca067e1c94b5105fb29a9ba1a8c3b677e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea1af8b2808f99af163ae25bcf39e438d6360bf51eecffa124cd4e274ce431f8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E4218E755043059BDB209F698C04EAA77E8AFD5720F214B1DFEE2E72E0D7B09860DB20
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009640AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008D600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008D604C
                                                                                                                                                                                                                                                            • Part of subcall function 008D600E: GetStockObject.GDI32(00000011), ref: 008D6060
                                                                                                                                                                                                                                                            • Part of subcall function 008D600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 008D606A
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00964112
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0096411F
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0096412A
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00964139
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00964145
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                                                                                                                                                                                                                          • String ID: Msctls_Progress32
                                                                                                                                                                                                                                                          • API String ID: 1025951953-3636473452
                                                                                                                                                                                                                                                          • Opcode ID: 4257ef9e4889ca818671299dd28325431c8f6c48d440c78beb5eca8f5789556f
                                                                                                                                                                                                                                                          • Instruction ID: 87f0e1ca834d3270faf2fa6f42553084d0c608e57b04c7bd44f94dea9df03426
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4257ef9e4889ca818671299dd28325431c8f6c48d440c78beb5eca8f5789556f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E211E2B215021EBEEF108FA4CC85EE77F5DEF09398F014111FB18A2050CA729C61DBA4
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0094096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • InterlockedExchange.KERNEL32(013AEC48,013AEC48), ref: 0094097B
                                                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(013AEC28,00000000), ref: 0094098D
                                                                                                                                                                                                                                                          • TerminateThread.KERNEL32(?,000001F6), ref: 0094099B
                                                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,000003E8), ref: 009409A9
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 009409B8
                                                                                                                                                                                                                                                          • InterlockedExchange.KERNEL32(013AEC48,000001F6), ref: 009409C8
                                                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(013AEC28), ref: 009409CF
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3495660284-0
                                                                                                                                                                                                                                                          • Opcode ID: 84a45fdeb165d96283444959fee888f195b75059be8652ac6e3e9a21713577d9
                                                                                                                                                                                                                                                          • Instruction ID: 3fa1a38afb47a941d6674c0a1faa2b8195307e6b430e4f040d3e82a1a5614b0e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84a45fdeb165d96283444959fee888f195b75059be8652ac6e3e9a21713577d9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7CF03C7245AA02BBD7415FA4EE9CBE6BB39FF41702F402029F242908A0C7B59465DFA0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009001B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • __allrem.LIBCMT ref: 009000BA
                                                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009000D6
                                                                                                                                                                                                                                                          • __allrem.LIBCMT ref: 009000ED
                                                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0090010B
                                                                                                                                                                                                                                                          • __allrem.LIBCMT ref: 00900122
                                                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00900140
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1992179935-0
                                                                                                                                                                                                                                                          • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                                                                                                                                                          • Instruction ID: 04eac179e548d0bd479c690399b57786c28a45a30fd1e5e06a81a0003610ad85
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D81C872A00B0A9FE7249F78CC41B6A73E9EFC5764F24453AF651D66C1EB70D9408790
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009061FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,008F82D9,008F82D9,?,?,?,0090644F,00000001,00000001,8BE85006), ref: 00906258
                                                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0090644F,00000001,00000001,8BE85006,?,?,?), ref: 009062DE
                                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009063D8
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 009063E5
                                                                                                                                                                                                                                                            • Part of subcall function 00903820: RtlAllocateHeap.NTDLL(00000000,?,009A1444,?,008EFDF5,?,?,008DA976,00000010,009A1440,008D13FC,?,008D13C6,?,008D1129), ref: 00903852
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 009063EE
                                                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00906413
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1414292761-0
                                                                                                                                                                                                                                                          • Opcode ID: e5f7a5a464ac34215a82bade40eda22d4e02b4be0cf1f78127b1cb5ef6c25e9f
                                                                                                                                                                                                                                                          • Instruction ID: bdb4e16e258257f3ab1f26fb37356aed2d3bf7a8d12c6fa618464c1051899bc5
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5f7a5a464ac34215a82bade40eda22d4e02b4be0cf1f78127b1cb5ef6c25e9f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D519C72A00216AFEB259F64DC81EBF7AADEF84750F154629F805DA1D0EB34DC60D6A0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009407EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 0094080C
                                                                                                                                                                                                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00940847
                                                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(?), ref: 00940863
                                                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 009408DC
                                                                                                                                                                                                                                                          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 009408F3
                                                                                                                                                                                                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00940921
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3368777196-0
                                                                                                                                                                                                                                                          • Opcode ID: 8e026cbd0f94be6aed1ea6de9705349ffd0faeaaf88e06fb1f3f20568ad79f2d
                                                                                                                                                                                                                                                          • Instruction ID: 3886352802e2805b01b4205187c18cfa83a9ff9910f84927adcaef120dc04626
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e026cbd0f94be6aed1ea6de9705349ffd0faeaaf88e06fb1f3f20568ad79f2d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4415971900205ABDF14AF58DC85A6A7778FF45300F1440A9FE00DE297DB71EE60DBA0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009681DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0092F3AB,00000000,?,?,00000000,?,0092682C,00000004,00000000,00000000), ref: 0096824C
                                                                                                                                                                                                                                                          • EnableWindow.USER32(?,00000000), ref: 00968272
                                                                                                                                                                                                                                                          • ShowWindow.USER32(FFFFFFFF,00000000), ref: 009682D1
                                                                                                                                                                                                                                                          • ShowWindow.USER32(?,00000004), ref: 009682E5
                                                                                                                                                                                                                                                          • EnableWindow.USER32(?,00000001), ref: 0096830B
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0096832F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 642888154-0
                                                                                                                                                                                                                                                          • Opcode ID: 19041a95fa533b26ce18bddb3eeb3b55f32ee2ca1f1868ccd264b449a83d7a92
                                                                                                                                                                                                                                                          • Instruction ID: 14ffbf7ef473a51ae91cca32e4f89dd756e64e10ec6b6b41d41c3fa3aac4e375
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 19041a95fa533b26ce18bddb3eeb3b55f32ee2ca1f1868ccd264b449a83d7a92
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F41D030605640AFDB25CF25D8A9FE67BE4FF4A754F1803A9F5584B2A2CB31A841DB80
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00934C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsWindowVisible.USER32(?), ref: 00934C95
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00934CB2
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00934CEA
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00934D08
                                                                                                                                                                                                                                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00934D10
                                                                                                                                                                                                                                                          • _wcsstr.LIBVCRUNTIME ref: 00934D1A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 72514467-0
                                                                                                                                                                                                                                                          • Opcode ID: 7a4d663de087378f135cd5f25ed6fe2afaebc2c5457ae808cfe02b9d0798404a
                                                                                                                                                                                                                                                          • Instruction ID: 69a5a675ea7d480c421c7c73b8fca16da17f2937c132bf71ba644373c9a34eba
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a4d663de087378f135cd5f25ed6fe2afaebc2c5457ae808cfe02b9d0798404a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD212672204201BBEB155B39EC09E7B7B9CEF45750F11802DF905CA192EAA1FC009BA1
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00902D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00905686,00913CD6,?,00000000,?,00905B6A,?,?,?,?,?,008FE6D1,?,00998A48), ref: 00902D78
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902DAB
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902DD3
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,008FE6D1,?,00998A48,00000010,008D4F4A,?,?,00000000,00913CD6), ref: 00902DE0
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,008FE6D1,?,00998A48,00000010,008D4F4A,?,?,00000000,00913CD6), ref: 00902DEC
                                                                                                                                                                                                                                                          • _abort.LIBCMT ref: 00902DF2
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$_free$_abort
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3160817290-0
                                                                                                                                                                                                                                                          • Opcode ID: 8e424b262958587d2cad92d9208b5294fd77ceee5d40154689a0655b4a57179e
                                                                                                                                                                                                                                                          • Instruction ID: 590d97d36f9dafee4e912e5edcb967c6fa2f3aa6700216ada265002a72af338f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8e424b262958587d2cad92d9208b5294fd77ceee5d40154689a0655b4a57179e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19F0C27650CA016FC6223738BC0EF6A265DAFC27A5F354419F834962E2EE648C416260
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00968A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008E9693
                                                                                                                                                                                                                                                            • Part of subcall function 008E9639: SelectObject.GDI32(?,00000000), ref: 008E96A2
                                                                                                                                                                                                                                                            • Part of subcall function 008E9639: BeginPath.GDI32(?), ref: 008E96B9
                                                                                                                                                                                                                                                            • Part of subcall function 008E9639: SelectObject.GDI32(?,00000000), ref: 008E96E2
                                                                                                                                                                                                                                                          • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00968A4E
                                                                                                                                                                                                                                                          • LineTo.GDI32(?,00000003,00000000), ref: 00968A62
                                                                                                                                                                                                                                                          • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00968A70
                                                                                                                                                                                                                                                          • LineTo.GDI32(?,00000000,00000003), ref: 00968A80
                                                                                                                                                                                                                                                          • EndPath.GDI32(?), ref: 00968A90
                                                                                                                                                                                                                                                          • StrokePath.GDI32(?), ref: 00968AA0
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 43455801-0
                                                                                                                                                                                                                                                          • Opcode ID: 26b8ca9361da121bf9e797b5624d9be9a19057c4304d165bee54830161ee183f
                                                                                                                                                                                                                                                          • Instruction ID: 6e91adbca058d38ac54fd2268cb15fbfaca0289a0e8a49b125ea4f6f46cfd89b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 26b8ca9361da121bf9e797b5624d9be9a19057c4304d165bee54830161ee183f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A110976004108FFDF129F94DC88EAA7F6CEF09390F008016FA599A1A1C7B19D55EBA0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0093EB30
                                                                                                                                                                                                                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0093EB46
                                                                                                                                                                                                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 0093EB55
                                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0093EB64
                                                                                                                                                                                                                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0093EB6E
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0093EB75
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 839392675-0
                                                                                                                                                                                                                                                          • Opcode ID: ad17ce1619347ecb618f51b99faaf780b8080a70251d53a50c7385c675550beb
                                                                                                                                                                                                                                                          • Instruction ID: 4d85f97260417dc22cfbf0809cdf435818a59e5e5f60b987b783414f0b265187
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad17ce1619347ecb618f51b99faaf780b8080a70251d53a50c7385c675550beb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DCF017B2254159BBE7216B62DC0EEBB7A7CEFCAB11F00015CF642D119196E05A01AAB9
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008D7620: _wcslen.LIBCMT ref: 008D7625
                                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0093C6EE
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0093C735
                                                                                                                                                                                                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0093C79C
                                                                                                                                                                                                                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0093C7CA
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ItemMenu$Info_wcslen$Default
                                                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                                                          • API String ID: 1227352736-4108050209
                                                                                                                                                                                                                                                          • Opcode ID: b8c4fdcd37acacf88c4005c95d1b13f9244195b94eec5b9e59c57c1387369416
                                                                                                                                                                                                                                                          • Instruction ID: 3ce6d3caf8de1790d02ffeda0bdeba33c183382bb6a02e3f3576dd7122f1a577
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8c4fdcd37acacf88c4005c95d1b13f9244195b94eec5b9e59c57c1387369416
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2851B0B16187019BD7149F28C889B6B77E8EF8A314F040A2DF996F32A1DB64DD04DF52
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008F4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,008F4D1E,009028E9,?,008F4CBE,009028E9,009988B8,0000000C,008F4E15,009028E9,00000002), ref: 008F4D8D
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 008F4DA0
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,008F4D1E,009028E9,?,008F4CBE,009028E9,009988B8,0000000C,008F4E15,009028E9,00000002,00000000), ref: 008F4DC3
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                                                          • Opcode ID: 2011922c19f55e4036047d80e248459877777ecc67535de8252535a5c7f0aaed
                                                                                                                                                                                                                                                          • Instruction ID: 7daee29e44485cc3f30a939120385f11940a78eabc037ae827b0e63d73ea80c6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2011922c19f55e4036047d80e248459877777ecc67535de8252535a5c7f0aaed
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F7F0A47151420CBBDB145FA4DC09BBEBBB4FF44755F000059F909E2250CB705940DB90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,008D4EDD,?,009A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008D4E9C
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 008D4EAE
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,008D4EDD,?,009A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008D4EC0
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                                                                                                                                                                          • API String ID: 145871493-3689287502
                                                                                                                                                                                                                                                          • Opcode ID: 5286d72df39fe0d15990bd18893626c2c194190aa49aeeec537732366ab8431a
                                                                                                                                                                                                                                                          • Instruction ID: 1b40f04bc9feb966444814d037eebf1e88aa79b36759c574f0847926b8653a51
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5286d72df39fe0d15990bd18893626c2c194190aa49aeeec537732366ab8431a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60E08675A195226B93212B256C18A7B6754FFC2B7270A021AFC44D2200DBB0CD0190A1
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00913CDE,?,009A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008D4E62
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 008D4E74
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00913CDE,?,009A1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 008D4E87
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Library$AddressFreeLoadProc
                                                                                                                                                                                                                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                                                                                                                                                                          • API String ID: 145871493-1355242751
                                                                                                                                                                                                                                                          • Opcode ID: 1e5c69b1091e5a525827d09f9fbe08a55034a38c7bab4494cf6c4eee8118de8d
                                                                                                                                                                                                                                                          • Instruction ID: 9c278cdc17a30d2b5594f85fb6f790f90a5789db8842ec152a3ccf201838d67d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e5c69b1091e5a525827d09f9fbe08a55034a38c7bab4494cf6c4eee8118de8d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EED0C23151A661674A221B24AC08DAB2B18FFC6B75386031AF844E2210CFB0CD01D1D0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00942947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00942C05
                                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?), ref: 00942C87
                                                                                                                                                                                                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00942C9D
                                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00942CAE
                                                                                                                                                                                                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00942CC0
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: File$Delete$Copy
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3226157194-0
                                                                                                                                                                                                                                                          • Opcode ID: c80ad64024d8673cedf78b1437e0e0464e0efd0e9340210f522f92c9aa16d4fc
                                                                                                                                                                                                                                                          • Instruction ID: 4d3dbb88cd4637cabab850a659dc14cf575499865872c0e912bd2c5d52b1eacd
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c80ad64024d8673cedf78b1437e0e0464e0efd0e9340210f522f92c9aa16d4fc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5EB13C71D0011DABDF25DBA4CC85EEEBBBDFF49350F5040A6FA09E6151EA309A448F61
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0095A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentProcessId.KERNEL32 ref: 0095A427
                                                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0095A435
                                                                                                                                                                                                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0095A468
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0095A63D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3488606520-0
                                                                                                                                                                                                                                                          • Opcode ID: db547560e94c097433596e6860c294a6a8a724b96fb69166c6561e817d5541ec
                                                                                                                                                                                                                                                          • Instruction ID: e80518a1c4d480bc721f45f40d35c228f5604343e546510969dd8c6ae7b5e301
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db547560e94c097433596e6860c294a6a8a724b96fb69166c6561e817d5541ec
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7A19B716043019FD720DF29C882F2AB7E5EF84714F14891DF99ADB392DAB0EC458B86
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 0093DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0093CF22,?), ref: 0093DDFD
                                                                                                                                                                                                                                                            • Part of subcall function 0093DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0093CF22,?), ref: 0093DE16
                                                                                                                                                                                                                                                            • Part of subcall function 0093E199: GetFileAttributesW.KERNEL32(?,0093CF95), ref: 0093E19A
                                                                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 0093E473
                                                                                                                                                                                                                                                          • MoveFileW.KERNEL32(?,?), ref: 0093E4AC
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0093E5EB
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 0093E603
                                                                                                                                                                                                                                                          • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0093E650
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3183298772-0
                                                                                                                                                                                                                                                          • Opcode ID: 9ddc60e3ab5f9dff5b2e4b19c86c81d8e48d2f079d1f0800d93ed76c59ec8e00
                                                                                                                                                                                                                                                          • Instruction ID: 816b6486888dcec3017a1adc6f959fc700939276effdbaf4b614e361e13534b0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ddc60e3ab5f9dff5b2e4b19c86c81d8e48d2f079d1f0800d93ed76c59ec8e00
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 325194B25083455BC724DBA4D885AEF77DCEF84344F00491EF6C9D3191EF74A6888B56
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00938BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • VariantInit.OLEAUT32(?), ref: 00938BCD
                                                                                                                                                                                                                                                          • VariantClear.OLEAUT32 ref: 00938C3E
                                                                                                                                                                                                                                                          • VariantClear.OLEAUT32 ref: 00938C9D
                                                                                                                                                                                                                                                          • VariantClear.OLEAUT32(?), ref: 00938D10
                                                                                                                                                                                                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00938D3B
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Variant$Clear$ChangeInitType
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4136290138-0
                                                                                                                                                                                                                                                          • Opcode ID: 4f2a5076e01a3c5036ccaf43941a165f58e3fff1c4fa131d407123a951e92c65
                                                                                                                                                                                                                                                          • Instruction ID: 96442da4b49d4bc3db027945746ecfc2e8ffcb7dfd831a21955863ec435decac
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f2a5076e01a3c5036ccaf43941a165f58e3fff1c4fa131d407123a951e92c65
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB5147B5A10219AFCB10CF68C884AAAB7F9FF89310F158559F955DB350EB34E911CFA0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00948AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00948BAE
                                                                                                                                                                                                                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00948BDA
                                                                                                                                                                                                                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00948C32
                                                                                                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00948C57
                                                                                                                                                                                                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00948C5F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: PrivateProfile$SectionWrite$String
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2832842796-0
                                                                                                                                                                                                                                                          • Opcode ID: 3e9738cfe2175c38c74b133d10b7a1d5323a290e17a8635a994bac0e6dd87018
                                                                                                                                                                                                                                                          • Instruction ID: 7bedbac37cd0c627ca413654367e641ea93f9757cfe32e8da9d414621f913df2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e9738cfe2175c38c74b133d10b7a1d5323a290e17a8635a994bac0e6dd87018
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18515935A00215AFCB00DF69C880E6EBBF5FF49314F088459E849AB362DB31ED41CB91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00958EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00958F40
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00958FD0
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00958FEC
                                                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00959032
                                                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00959052
                                                                                                                                                                                                                                                            • Part of subcall function 008EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00941043,?,7644E610), ref: 008EF6E6
                                                                                                                                                                                                                                                            • Part of subcall function 008EF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0092FA64,00000000,00000000,?,?,00941043,?,7644E610,?,0092FA64), ref: 008EF70D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 666041331-0
                                                                                                                                                                                                                                                          • Opcode ID: 91c79a3834da7941691e95ca752542022abf00eb2e7ec7bf58b95dc5ebd74443
                                                                                                                                                                                                                                                          • Instruction ID: 473f782f6ebf138c0d6a3417feb60de1a9e06da1fe89669d00cadfbf0ac7e868
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91c79a3834da7941691e95ca752542022abf00eb2e7ec7bf58b95dc5ebd74443
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05516934604205DFC700DF69C4848ADBBF5FF49324B0581A9EC4AAB362DB31ED8ACB91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00966B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00966C33
                                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000EC,?), ref: 00966C4A
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00966C73
                                                                                                                                                                                                                                                          • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0094AB79,00000000,00000000), ref: 00966C98
                                                                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00966CC7
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Window$Long$MessageSendShow
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3688381893-0
                                                                                                                                                                                                                                                          • Opcode ID: 7107a688ffda50cf9fca26f4c09733483367afb3c872c6e82268804474057be5
                                                                                                                                                                                                                                                          • Instruction ID: ffffe854e9f82a6d829780bbbb659543c2a4a34f998acdeafff8ad8448264b2e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7107a688ffda50cf9fca26f4c09733483367afb3c872c6e82268804474057be5
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4541D435A08504AFDB24CF38CC58FBA7BA9EB49350F140229FAD5A72E0C375AD41DA80
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00902051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 269201875-0
                                                                                                                                                                                                                                                          • Opcode ID: ad944514c7f1e6eee194bc184e549de50be9bf178c946e9b2a1957558df1416e
                                                                                                                                                                                                                                                          • Instruction ID: 1a7d396447edc68fa97e7a28e34ef993c9d7d5e0a4397e22967ae349ce99aa23
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad944514c7f1e6eee194bc184e549de50be9bf178c946e9b2a1957558df1416e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B41D172A003009FCB24DF78C885A5EB7B5EF8A314F1545A9EA15EB392DA31AD01CB91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00950930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • IsWindow.USER32(00000000), ref: 00950951
                                                                                                                                                                                                                                                          • GetForegroundWindow.USER32 ref: 00950968
                                                                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 009509A4
                                                                                                                                                                                                                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 009509B0
                                                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000003), ref: 009509E8
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Window$ForegroundPixelRelease
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 4156661090-0
                                                                                                                                                                                                                                                          • Opcode ID: e1d01846b05543dbe999faac2dd73f36c20fda748d33129bea2bdcdec37f613f
                                                                                                                                                                                                                                                          • Instruction ID: e4b75c6f4e880e04cd845953c1a64b34dfd3eb45b079324ed613fa52b0572333
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e1d01846b05543dbe999faac2dd73f36c20fda748d33129bea2bdcdec37f613f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A215E75600204AFD704EF69D894AAEBBE9EF84741F04846DF88AD7362CA70AC44DB50
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0090CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 0090CDC6
                                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0090CDE9
                                                                                                                                                                                                                                                            • Part of subcall function 00903820: RtlAllocateHeap.NTDLL(00000000,?,009A1444,?,008EFDF5,?,?,008DA976,00000010,009A1440,008D13FC,?,008D13C6,?,008D1129), ref: 00903852
                                                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0090CE0F
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 0090CE22
                                                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0090CE31
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 336800556-0
                                                                                                                                                                                                                                                          • Opcode ID: 3fb6f04201d52fd8b6104fa65b57267304b27879aa00f9abebd047299611f005
                                                                                                                                                                                                                                                          • Instruction ID: b19dd1f7f745ec92fa1c7bd356da636584b1fe7407e26d207aa836d72eff94fa
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fb6f04201d52fd8b6104fa65b57267304b27879aa00f9abebd047299611f005
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6401A7F26052157FA32127B6AC8CD7F7E6DDEC7BA1315422EFD05D7281EA618D01A1B0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00902DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,008FF2DE,00903863,009A1444,?,008EFDF5,?,?,008DA976,00000010,009A1440,008D13FC,?,008D13C6), ref: 00902DFD
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902E32
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902E59
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,008D1129), ref: 00902E66
                                                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,008D1129), ref: 00902E6F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorLast$_free
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3170660625-0
                                                                                                                                                                                                                                                          • Opcode ID: a95764157fa8b708d0794d4f07260e26e6bd503b0be82cf986c8b7886c8dfe2e
                                                                                                                                                                                                                                                          • Instruction ID: c5afcc8f1f60bbe11067813a102c79a2d2d9e5ae29f10124a0ec65b17aa80ab4
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a95764157fa8b708d0794d4f07260e26e6bd503b0be82cf986c8b7886c8dfe2e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD01287628D6006FC6123738AC4DE3B265DAFD17B5B314439F865A22D2EF748C016120
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,0092FF41,80070057,?,?,?,0093035E), ref: 0093002B
                                                                                                                                                                                                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0092FF41,80070057,?,?), ref: 00930046
                                                                                                                                                                                                                                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0092FF41,80070057,?,?), ref: 00930054
                                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0092FF41,80070057,?), ref: 00930064
                                                                                                                                                                                                                                                          • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0092FF41,80070057,?,?), ref: 00930070
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3897988419-0
                                                                                                                                                                                                                                                          • Opcode ID: 8168dc29b04d4cb1f855ba62729a4e9f59d3405e672514fd2c87a6464fa9cfee
                                                                                                                                                                                                                                                          • Instruction ID: 4c104d20d94de8f817da9b7f51b8f5a301bd56fabc7b2d6c40a9db8bce2dfef1
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8168dc29b04d4cb1f855ba62729a4e9f59d3405e672514fd2c87a6464fa9cfee
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B01A2B2610218BFDB245F68DC44BBA7AEDEF84791F144128F945D3210D7B5DD40EBA0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 0093E997
                                                                                                                                                                                                                                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 0093E9A5
                                                                                                                                                                                                                                                          • Sleep.KERNEL32(00000000), ref: 0093E9AD
                                                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 0093E9B7
                                                                                                                                                                                                                                                          • Sleep.KERNEL32 ref: 0093E9F3
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2833360925-0
                                                                                                                                                                                                                                                          • Opcode ID: 0a9fdf57dcf297061dd18e0a1742e9cb081b3d8f64f9bbf8fc1d2b483d7ee93f
                                                                                                                                                                                                                                                          • Instruction ID: bc16a8e491bf98582e4bd63dbc9d74a693d3e942126d132e35c92ed42214ab28
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a9fdf57dcf297061dd18e0a1742e9cb081b3d8f64f9bbf8fc1d2b483d7ee93f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 96015771C19A2DDBCF00AFE4DC59AEDBB78FB09301F01054AE942B2280CB7495519BA2
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00930FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00930FCA
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00930FD6
                                                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00930FE5
                                                                                                                                                                                                                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00930FEC
                                                                                                                                                                                                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00931002
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 44706859-0
                                                                                                                                                                                                                                                          • Opcode ID: 62d14e7eaff5aed532827c6428114e5f62cb53740cf5ed9c59bbf3dbf25cbedb
                                                                                                                                                                                                                                                          • Instruction ID: fb1b9358570499fec33addd34a85a931d16d895be1a00ffc4c22ba7d0d973189
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62d14e7eaff5aed532827c6428114e5f62cb53740cf5ed9c59bbf3dbf25cbedb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90F06DB5214301FBDB214FA5DC4DF663BADEF8A762F114418FA89D7261CAB1DC409A60
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0094030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0094017D,?,009432FC,?,00000001,00912592,?), ref: 00940324
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0094017D,?,009432FC,?,00000001,00912592,?), ref: 00940331
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0094017D,?,009432FC,?,00000001,00912592,?), ref: 0094033E
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0094017D,?,009432FC,?,00000001,00912592,?), ref: 0094034B
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0094017D,?,009432FC,?,00000001,00912592,?), ref: 00940358
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,0094017D,?,009432FC,?,00000001,00912592,?), ref: 00940365
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2962429428-0
                                                                                                                                                                                                                                                          • Opcode ID: 35d03c09e474f8a9539f9f753924874a7ab28b25da76f29834cb7241e8bc158e
                                                                                                                                                                                                                                                          • Instruction ID: 36bce1cc66941ec0e829195cf7e2f4ece4a2c5fa849232a2ce85ff06b60d27c0
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35d03c09e474f8a9539f9f753924874a7ab28b25da76f29834cb7241e8bc158e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EC017A72801B159FCB30AF66D890816FBF9BFA03153158A3FD29652931C7B1A999DF80
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009022A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 009022BE
                                                                                                                                                                                                                                                            • Part of subcall function 009029C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0090D7D1,00000000,00000000,00000000,00000000,?,0090D7F8,00000000,00000007,00000000,?,0090DBF5,00000000), ref: 009029DE
                                                                                                                                                                                                                                                            • Part of subcall function 009029C8: GetLastError.KERNEL32(00000000,?,0090D7D1,00000000,00000000,00000000,00000000,?,0090D7F8,00000000,00000007,00000000,?,0090DBF5,00000000,00000000), ref: 009029F0
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 009022D0
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 009022E3
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 009022F4
                                                                                                                                                                                                                                                          • _free.LIBCMT ref: 00902305
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 776569668-0
                                                                                                                                                                                                                                                          • Opcode ID: 3f82c061146e49d1a67b1a928ae321ac41ed9a340258182dcf665e3496a3dfc9
                                                                                                                                                                                                                                                          • Instruction ID: 5f5d832ca004cc9f8c90f4620abca1df0907f4ea9e8377b6eba61b60a4084172
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3f82c061146e49d1a67b1a928ae321ac41ed9a340258182dcf665e3496a3dfc9
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77F03AB48382208FCA12BF58BD05A483FA4BBAA765B50050BF830E32F1C7314811BBE4
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00932716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 0093B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009321D0,?,?,00000034,00000800,?,00000034), ref: 0093B42D
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00932760
                                                                                                                                                                                                                                                            • Part of subcall function 0093B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009321FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0093B3F8
                                                                                                                                                                                                                                                            • Part of subcall function 0093B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0093B355
                                                                                                                                                                                                                                                            • Part of subcall function 0093B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00932194,00000034,?,?,00001004,00000000,00000000), ref: 0093B365
                                                                                                                                                                                                                                                            • Part of subcall function 0093B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00932194,00000034,?,?,00001004,00000000,00000000), ref: 0093B37B
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009327CD
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0093281A
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                                                                                                                                                                          • String ID: @
                                                                                                                                                                                                                                                          • API String ID: 4150878124-2766056989
                                                                                                                                                                                                                                                          • Opcode ID: d315f605fb6c052950bb978c5bf3ba0daa7c1297f961367cd7770421646e9b57
                                                                                                                                                                                                                                                          • Instruction ID: 98c96e53907f4b7f4980e8cf5b473aa6d8b3cad2fa26d69dd79520ee956a7fbf
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d315f605fb6c052950bb978c5bf3ba0daa7c1297f961367cd7770421646e9b57
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06413876901218BEDB10DBA4C885BEEBBB8EF49300F104099FA55B7181DB706E45CFA1
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0093C306
                                                                                                                                                                                                                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 0093C34C
                                                                                                                                                                                                                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,009A1990,013B5400), ref: 0093C395
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Menu$Delete$InfoItem
                                                                                                                                                                                                                                                          • String ID: 0
                                                                                                                                                                                                                                                          • API String ID: 135850232-4108050209
                                                                                                                                                                                                                                                          • Opcode ID: 5224f50a6e46048a45bb1eaa78644c8aa17cf47caff4790a3a5a6d0f58a8556a
                                                                                                                                                                                                                                                          • Instruction ID: 676ff7d5302822a024437fa00442ff327f3dd127acc3f2e13f0869fe44faed5b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5224f50a6e46048a45bb1eaa78644c8aa17cf47caff4790a3a5a6d0f58a8556a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8741B2B12087019FD724DF28D884B2ABBE8EF85311F008A1DF9A5A72D1D770E904CF52
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00964416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0096CC08,00000000,?,?,?,?), ref: 009644AA
                                                                                                                                                                                                                                                          • GetWindowLongW.USER32 ref: 009644C7
                                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 009644D7
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Window$Long
                                                                                                                                                                                                                                                          • String ID: SysTreeView32
                                                                                                                                                                                                                                                          • API String ID: 847901565-1698111956
                                                                                                                                                                                                                                                          • Opcode ID: abab2444faf46aae9897fef1b7a3a84bf8c92850630bfcca71cd3814c5e6fd6a
                                                                                                                                                                                                                                                          • Instruction ID: dfe2c3905179391cb1ee22a28caec5f998839447ae8f045fef64be3bd4dc0f1d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: abab2444faf46aae9897fef1b7a3a84bf8c92850630bfcca71cd3814c5e6fd6a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8631AB71214605AFDF218EB8DC46BEA7BA9EB09378F204715F975E21E0DB70EC909B50
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00964653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00964705
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00964713
                                                                                                                                                                                                                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0096471A
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MessageSend$DestroyWindow
                                                                                                                                                                                                                                                          • String ID: msctls_updown32
                                                                                                                                                                                                                                                          • API String ID: 4014797782-2298589950
                                                                                                                                                                                                                                                          • Opcode ID: e70f56e9bca5736aa8f9e78be836ab9dcf4bc9e41892cec8ba6f9b9f522b771c
                                                                                                                                                                                                                                                          • Instruction ID: b8778147e705fb0b685dc1dbcf542b00604bf37c2d8285f5dc93b8e8779fb167
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e70f56e9bca5736aa8f9e78be836ab9dcf4bc9e41892cec8ba6f9b9f522b771c
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F2190B5604209AFDB10DF68DCC1DB737ADEF9A3A4B040149FA009B361DB70EC11DA60
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009449F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000001), ref: 00944A08
                                                                                                                                                                                                                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00944A5C
                                                                                                                                                                                                                                                          • SetErrorMode.KERNEL32(00000000,?,?,0096CC08), ref: 00944AD0
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorMode$InformationVolume
                                                                                                                                                                                                                                                          • String ID: %lu
                                                                                                                                                                                                                                                          • API String ID: 2507767853-685833217
                                                                                                                                                                                                                                                          • Opcode ID: 6feb140d03d7133ca1471cbbfdf1673f7d103009d3ab3d2990e4c43d73cf767d
                                                                                                                                                                                                                                                          • Instruction ID: 4bdd341a7d4c2a6b4416d6da35ab16aef3e3a2856c2af4105858e14bae23f72f
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6feb140d03d7133ca1471cbbfdf1673f7d103009d3ab3d2990e4c43d73cf767d
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE317171A00108AFDB10DF58C885EAA7BF8EF49308F1480A9F949DB362DB71ED45CB61
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 009641EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0096424F
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00964264
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00964271
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                                                                          • String ID: msctls_trackbar32
                                                                                                                                                                                                                                                          • API String ID: 3850602802-1010561917
                                                                                                                                                                                                                                                          • Opcode ID: fa1b725f8c79a0288e2466215e236736fe4b53ae43fadd98397ccacfe196f3e4
                                                                                                                                                                                                                                                          • Instruction ID: 47869c2c137dccf0031c898054542f6bbead4915259ec506ce6752994976cade
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fa1b725f8c79a0288e2466215e236736fe4b53ae43fadd98397ccacfe196f3e4
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE112931254208BEEF205FB8CC46FBB3BACEF95B54F110514FA65E20A0D6B1DC619B50
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                                          • Opcode ID: 14acfcd0927ab6f7b5af67987119fe6ffdf5322813dd57acc8d17d8f22a875b2
                                                                                                                                                                                                                                                          • Instruction ID: 22eb198ccca4ff7e11813bac65470b6229682e32d1a170d46e2da130a6df1b8e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14acfcd0927ab6f7b5af67987119fe6ffdf5322813dd57acc8d17d8f22a875b2
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25C13975A0021AAFDB14CFA4C8A4AAEB7B9FF88704F208598E515EB251D731ED41DF90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00930436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,0096FC08,?), ref: 009305F0
                                                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,0096FC08,?), ref: 00930608
                                                                                                                                                                                                                                                          • CLSIDFromProgID.OLE32(?,?,00000000,0096CC40,000000FF,?,00000000,00000800,00000000,?,0096FC08,?), ref: 0093062D
                                                                                                                                                                                                                                                          • _memcmp.LIBVCRUNTIME ref: 0093064E
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FromProg$FreeTask_memcmp
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 314563124-0
                                                                                                                                                                                                                                                          • Opcode ID: f36211f082977f4115450428120fcb373ab49dbe52a2ef86c2453a3f931ddc79
                                                                                                                                                                                                                                                          • Instruction ID: 81540d7c2e4f15f3a9437bc5faec4266336d73f30bd8e261a20bca993e720fee
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f36211f082977f4115450428120fcb373ab49dbe52a2ef86c2453a3f931ddc79
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C181E871A00109AFCB04DF94C994DEEB7B9FF89315F204598F516AB250DB71AE06CF61
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00966278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetWindowRect.USER32(?,?), ref: 009662E2
                                                                                                                                                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00966315
                                                                                                                                                                                                                                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00966382
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Window$ClientMoveRectScreen
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3880355969-0
                                                                                                                                                                                                                                                          • Opcode ID: 5e2a39bc6c94d080bb681f380bfed3266fa1c57abffc25994214c3950dadff74
                                                                                                                                                                                                                                                          • Instruction ID: 8e5b34978aea85a3f12f3c57cb724cf3bc82065fe4d1583747fe9b8543e33664
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e2a39bc6c94d080bb681f380bfed3266fa1c57abffc25994214c3950dadff74
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F510B74A00209AFDF14DF58D880DAE7BB9FF85364F10825AF865972A0D770AD41DB90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0093AAAC
                                                                                                                                                                                                                                                          • SetKeyboardState.USER32(00000080), ref: 0093AAC8
                                                                                                                                                                                                                                                          • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0093AB36
                                                                                                                                                                                                                                                          • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0093AB88
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 432972143-0
                                                                                                                                                                                                                                                          • Opcode ID: 5bc71a4e0b9fe7401749a408967592f4188472543de476840fd98ecea45c9f6a
                                                                                                                                                                                                                                                          • Instruction ID: b0ab59ac75d9ff43efcb3f67968ada52e32de0dab9b7b5e457d3d7d29b709a65
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5bc71a4e0b9fe7401749a408967592f4188472543de476840fd98ecea45c9f6a
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 70311671A40248AEFB35CB65CC05BFABBBEAB54320F04421BF1C1961D1D3788981DF66
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00968FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008E9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 008E9BB2
                                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 00969001
                                                                                                                                                                                                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00927711,?,?,?,?,?), ref: 00969016
                                                                                                                                                                                                                                                          • GetCursorPos.USER32(?), ref: 0096905E
                                                                                                                                                                                                                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00927711,?,?,?), ref: 00969094
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2864067406-0
                                                                                                                                                                                                                                                          • Opcode ID: b5ab420c9e92654dbd838432207658632ec7c6b44d06bec01f1185fea3129deb
                                                                                                                                                                                                                                                          • Instruction ID: 2338892b85e63d76a69523ea0536111649f4ebdaaad513ccc17ee4d4513f6f8b
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5ab420c9e92654dbd838432207658632ec7c6b44d06bec01f1185fea3129deb
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4421BF35616018EFCF258F98CC58EFA3BBDEF8A360F004059F90587261C3719990EBA0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00962782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0096280A
                                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00962824
                                                                                                                                                                                                                                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00962832
                                                                                                                                                                                                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00962840
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Window$Long$AttributesLayered
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2169480361-0
                                                                                                                                                                                                                                                          • Opcode ID: 5989698cf9ea7036625cb41769dbfbdff48cb9fa2fa5a8bd7aa9483624635f8f
                                                                                                                                                                                                                                                          • Instruction ID: e6a6c8db10900f7c2345ccd7624011b10fc4ff4f42c8740add994d4bb9494115
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5989698cf9ea7036625cb41769dbfbdff48cb9fa2fa5a8bd7aa9483624635f8f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7921C431209911AFD7149B24CC44FAA7799EF85324F148259F456CB6E2C7B5FC42C7D1
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0094CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • InternetReadFile.WININET(?,?,00000400,?), ref: 0094CE89
                                                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000000), ref: 0094CEEA
                                                                                                                                                                                                                                                          • SetEvent.KERNEL32(?,?,00000000), ref: 0094CEFE
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: ErrorEventFileInternetLastRead
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 234945975-0
                                                                                                                                                                                                                                                          • Opcode ID: 07f09ece5d15c1b6b6fa218bae58118f82e0d8591d6abdff58f578a75e90672e
                                                                                                                                                                                                                                                          • Instruction ID: 16e963642c69e1299a3f1c16c96ced050266f232e1e245da0c97a5e8d04129c8
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07f09ece5d15c1b6b6fa218bae58118f82e0d8591d6abdff58f578a75e90672e
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0218CB15053059FDB60DFA5C948FA777FCEB50358F10482EE646D2151E774EE089B50
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0093E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 0093E1FD
                                                                                                                                                                                                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 0093E230
                                                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0093E246
                                                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0093E24D
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2880819207-0
                                                                                                                                                                                                                                                          • Opcode ID: 04f2b6c80814bc4abb2fc50d42ae417cf07f3ebeb40c11596b222bbb5ee99486
                                                                                                                                                                                                                                                          • Instruction ID: d2c7d40c450fc583ace418eee8be3c256088a6def1d0111c099b4cf16794ae4e
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04f2b6c80814bc4abb2fc50d42ae417cf07f3ebeb40c11596b222bbb5ee99486
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E11DBB691C254BBCB119FA89C05EAF7FADEF46314F044259F924E32D1D6B0DD049BA0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008D600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 008D604C
                                                                                                                                                                                                                                                          • GetStockObject.GDI32(00000011), ref: 008D6060
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 008D606A
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CreateMessageObjectSendStockWindow
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 3970641297-0
                                                                                                                                                                                                                                                          • Opcode ID: 4224182006fa419e312d87b1a932dfbb525b61876b3f0b6e9885d8c38b03ce43
                                                                                                                                                                                                                                                          • Instruction ID: f094c2acf73dcd39e59207661ebe167bd79d276c257aae5c8632e0a0b3141ae6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4224182006fa419e312d87b1a932dfbb525b61876b3f0b6e9885d8c38b03ce43
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 191161B250590DBFEF125F94DC44EEA7B69FF19364F040216FA14A2110D776DC60EB90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00932DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00932DC5
                                                                                                                                                                                                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00932DD6
                                                                                                                                                                                                                                                          • GetCurrentThreadId.KERNEL32 ref: 00932DDD
                                                                                                                                                                                                                                                          • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00932DE4
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 2710830443-0
                                                                                                                                                                                                                                                          • Opcode ID: 6b7f7d98ca70f79678a4d44a1b3ed714f0c3928d67a61733cc758314798f9149
                                                                                                                                                                                                                                                          • Instruction ID: d6101b785decf7ea0dbc7d0a43272c0b4177537abb2ae8f188151f432ab25d67
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b7f7d98ca70f79678a4d44a1b3ed714f0c3928d67a61733cc758314798f9149
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4E06DB11192247ADB202B62DC0DFFB7E6CEF42BA1F000019F106D10809AE58840DAB0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00968863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008E9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 008E9693
                                                                                                                                                                                                                                                            • Part of subcall function 008E9639: SelectObject.GDI32(?,00000000), ref: 008E96A2
                                                                                                                                                                                                                                                            • Part of subcall function 008E9639: BeginPath.GDI32(?), ref: 008E96B9
                                                                                                                                                                                                                                                            • Part of subcall function 008E9639: SelectObject.GDI32(?,00000000), ref: 008E96E2
                                                                                                                                                                                                                                                          • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00968887
                                                                                                                                                                                                                                                          • LineTo.GDI32(?,?,?), ref: 00968894
                                                                                                                                                                                                                                                          • EndPath.GDI32(?), ref: 009688A4
                                                                                                                                                                                                                                                          • StrokePath.GDI32(?), ref: 009688B2
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                                          • API String ID: 1539411459-0
                                                                                                                                                                                                                                                          • Opcode ID: de75ad3622ca2ed9fd5e672ace93d8cbb357011c5836329dff42dfde93df88e8
                                                                                                                                                                                                                                                          • Instruction ID: ec007f40b10b1a840e5a73f6ed4c4a5e7bec9487d176689e823878836a5f14f9
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de75ad3622ca2ed9fd5e672ace93d8cbb357011c5836329dff42dfde93df88e8
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8F0BE36019258FADF126F94AC09FDE3F19AF0A310F408104FA61610E1C7B40510EFE5
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00944D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008D7620: _wcslen.LIBCMT ref: 008D7625
                                                                                                                                                                                                                                                          • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00944ED4
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Connection_wcslen
                                                                                                                                                                                                                                                          • String ID: *$LPT
                                                                                                                                                                                                                                                          • API String ID: 1725874428-3443410124
                                                                                                                                                                                                                                                          • Opcode ID: 9fe5febf632d91e78af8c5d021fb2d19ca5514340ffc621e46e6b8d671276291
                                                                                                                                                                                                                                                          • Instruction ID: 2d6ce9450b9ac822f29d52c82c375111961e4eb0cf5afbeafa2136b64d2d286d
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9fe5febf632d91e78af8c5d021fb2d19ca5514340ffc621e46e6b8d671276291
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF914C75A002049FDB14DF58C484EAABBF5FF48304F198099E84A9F3A2D775EE85CB91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008EE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                                          • String ID: #
                                                                                                                                                                                                                                                          • API String ID: 0-1885708031
                                                                                                                                                                                                                                                          • Opcode ID: 216c00e46d00ce8228f9c31f620943480abe1252fcb0505ae306522807deaedc
                                                                                                                                                                                                                                                          • Instruction ID: 9b131215c53507d219978cc5be16ea27e6b5ba5013ff0761c44befb73ebab471
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 216c00e46d00ce8228f9c31f620943480abe1252fcb0505ae306522807deaedc
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE514335604296DFDB15DF68D081ABA7BACFF16310F248059F891DB2C4D7349D42CBA1
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00964537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • SendMessageW.USER32(00000027,00001132,00000000,?), ref: 0096461F
                                                                                                                                                                                                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00964634
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                                                                          • String ID: '
                                                                                                                                                                                                                                                          • API String ID: 3850602802-1997036262
                                                                                                                                                                                                                                                          • Opcode ID: 30f0111151b7765f3e1b04a7f774018a95ff1f2dbe2c72c9de466ec2fd4672ea
                                                                                                                                                                                                                                                          • Instruction ID: fd9fc0e9627a90b4608ac7038f231d97dbb930264df50229e94a13d48a106cd2
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30f0111151b7765f3e1b04a7f774018a95ff1f2dbe2c72c9de466ec2fd4672ea
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13312A74A0130A9FDF14CFA9C990BDA7BB9FF49300F14406AE905AB351D770A941CF90
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 0094CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0094CD7D
                                                                                                                                                                                                                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0094CDA6
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Internet$OpenOption
                                                                                                                                                                                                                                                          • String ID: <local>
                                                                                                                                                                                                                                                          • API String ID: 942729171-4266983199
                                                                                                                                                                                                                                                          • Opcode ID: ac1b914936715181688ee4a993f5657e2a8290ac17597433bbcc37a047e30646
                                                                                                                                                                                                                                                          • Instruction ID: 4f06705bff4614185d2d79f3b3e2ccda37069c63ea1eeef1f10a98b783c1b970
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac1b914936715181688ee4a993f5657e2a8290ac17597433bbcc37a047e30646
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 741102F1A06631BED7784B668C48EF7BEACEF127A4F00422AB109830C0D3749840D6F0
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00936C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008D9CB3: _wcslen.LIBCMT ref: 008D9CBD
                                                                                                                                                                                                                                                          • CharUpperBuffW.USER32(?,?,?), ref: 00936CB6
                                                                                                                                                                                                                                                          • _wcslen.LIBCMT ref: 00936CC2
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: _wcslen$BuffCharUpper
                                                                                                                                                                                                                                                          • String ID: STOP
                                                                                                                                                                                                                                                          • API String ID: 1256254125-2411985666
                                                                                                                                                                                                                                                          • Opcode ID: d092362b006201e6cf27363e91bcc459a690b29c48976e9c11bcba0bb8c36a0f
                                                                                                                                                                                                                                                          • Instruction ID: e8c2c2e100dc830b310361b6b148ee68886232a7d02fb8c76ce95cd2e39922c6
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d092362b006201e6cf27363e91bcc459a690b29c48976e9c11bcba0bb8c36a0f
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3010432610526AACB20AFBDDC809BF77B8FB60714F104929E9A2D6291EB31D900CB50
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00930B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00930B23
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: Message
                                                                                                                                                                                                                                                          • String ID: AutoIt$Error allocating memory.
                                                                                                                                                                                                                                                          • API String ID: 2030045667-4017498283
                                                                                                                                                                                                                                                          • Opcode ID: 14adb4f0ac076288605bdfe5e2696470bcb74fc469cf4b5d14308de289b36608
                                                                                                                                                                                                                                                          • Instruction ID: 3daf22969f20846d612ee72e1b12bb9026fc4c5bbda603a087d4838a7991f4bb
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14adb4f0ac076288605bdfe5e2696470bcb74fc469cf4b5d14308de289b36608
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 32E0D87134434C36D71436597C03F997B84DF05B64F10042BF7C8D55C38AD2245017AA
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 008F0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                            • Part of subcall function 008EF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008F0D71,?,?,?,008D100A), ref: 008EF7CE
                                                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,008D100A), ref: 008F0D75
                                                                                                                                                                                                                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,008D100A), ref: 008F0D84
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008F0D7F
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                                                                                                                                                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                                                                                                                                                                          • API String ID: 55579361-631824599
                                                                                                                                                                                                                                                          • Opcode ID: 878a6dd6e9956eec803665d5613d7b1da95ac48b22e160612a248d3aa4dde496
                                                                                                                                                                                                                                                          • Instruction ID: 55e9a262d4b6856013ae4213839995e188ffe69ca8dfaff65e8473e535c62922
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 878a6dd6e9956eec803665d5613d7b1da95ac48b22e160612a248d3aa4dde496
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95E06DB42007518FD730AFBCE8147667BE4FF04744F008A2DE992C6652DBB1E4489F91
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00962322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0096232C
                                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0096233F
                                                                                                                                                                                                                                                            • Part of subcall function 0093E97B: Sleep.KERNEL32 ref: 0093E9F3
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                                                                                                                                                                                          • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                                          • API String ID: 529655941-2988720461
                                                                                                                                                                                                                                                          • Opcode ID: 1dc2005b2904a1b724226af1bda10bb49661dde6b7f31061962bbe98ffb08cfa
                                                                                                                                                                                                                                                          • Instruction ID: 37389dfa2d33238769c92c543584a072acdaea9b1987e261817193781d8dd77a
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1dc2005b2904a1b724226af1bda10bb49661dde6b7f31061962bbe98ffb08cfa
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C1D012763A8311B7EB64B770EC0FFD67A149B44B14F00491AB786AA1D0C9F0A801DB58
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%

                                                                                                                                                                                                                                                          Function 00962356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0096236C
                                                                                                                                                                                                                                                          • PostMessageW.USER32(00000000), ref: 00962373
                                                                                                                                                                                                                                                            • Part of subcall function 0093E97B: Sleep.KERNEL32 ref: 0093E9F3
                                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2664941038.00000000008D1000.00000020.00000001.01000000.0000000F.sdmp, Offset: 008D0000, based on PE: true
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2664897514.00000000008D0000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.000000000096C000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665044824.0000000000992000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665213416.000000000099C000.00000004.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          • Associated: 0000000D.00000002.2665287015.00000000009A4000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_8d0000_fb1076712b.jbxd
                                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                                          • API ID: FindMessagePostSleepWindow
                                                                                                                                                                                                                                                          • String ID: Shell_TrayWnd
                                                                                                                                                                                                                                                          • API String ID: 529655941-2988720461
                                                                                                                                                                                                                                                          • Opcode ID: 465eaac5d2c45b2dc0371506100c878e1f353ff6e5f02bee54cff3393c682f48
                                                                                                                                                                                                                                                          • Instruction ID: 31c7fb22930674d5bd8992964a8211b40afce7b7163b2f857f7b3a094f649a10
                                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 465eaac5d2c45b2dc0371506100c878e1f353ff6e5f02bee54cff3393c682f48
                                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7DD0C9723993117AEA64B770EC0FFD66A149B44B14F40491AB686AA1D0C9E0A8019A58
                                                                                                                                                                                                                                                          Uniqueness

                                                                                                                                                                                                                                                          Uniqueness Score: -1.00%